diff options
author | Andreas Schneider <asn@samba.org> | 2011-08-03 23:44:45 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2011-08-04 12:31:18 +0200 |
commit | 68e7b9307adabd9e3e12e95e0995051d366d8cf5 (patch) | |
tree | 991851d9e70f4d3acc00b89b3ab84fe9917bd589 /source4/librpc/rpc | |
parent | fff3f290736f0b75903bfefeb961ee935930303b (diff) | |
download | samba-68e7b9307adabd9e3e12e95e0995051d366d8cf5.tar.gz samba-68e7b9307adabd9e3e12e95e0995051d366d8cf5.tar.bz2 samba-68e7b9307adabd9e3e12e95e0995051d366d8cf5.zip |
s4-librpc: Fix double free.
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Thu Aug 4 12:31:18 CEST 2011 on sn-devel-104
Diffstat (limited to 'source4/librpc/rpc')
-rw-r--r-- | source4/librpc/rpc/dcerpc_smb.c | 11 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_smb2.c | 13 |
2 files changed, 13 insertions, 11 deletions
diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c index 395e067255..c2312953f8 100644 --- a/source4/librpc/rpc/dcerpc_smb.c +++ b/source4/librpc/rpc/dcerpc_smb.c @@ -79,6 +79,7 @@ struct smb_read_state { */ static void smb_read_callback(struct smbcli_request *req) { + struct dcecli_connection *c; struct smb_private *smb; struct smb_read_state *state; union smb_read *io; @@ -88,11 +89,12 @@ static void smb_read_callback(struct smbcli_request *req) state = talloc_get_type(req->async.private_data, struct smb_read_state); smb = talloc_get_type(state->c->transport.private_data, struct smb_private); io = state->io; + c = state->c; status = smb_raw_read_recv(state->req, io); if (NT_STATUS_IS_ERR(status)) { - pipe_dead(state->c, status); talloc_free(state); + pipe_dead(c, status); return; } @@ -101,8 +103,8 @@ static void smb_read_callback(struct smbcli_request *req) if (state->received < 16) { DEBUG(0,("dcerpc_smb: short packet (length %d) in read callback!\n", (int)state->received)); - pipe_dead(state->c, NT_STATUS_INFO_LENGTH_MISMATCH); talloc_free(state); + pipe_dead(c, NT_STATUS_INFO_LENGTH_MISMATCH); return; } @@ -110,7 +112,6 @@ static void smb_read_callback(struct smbcli_request *req) if (frag_length <= state->received) { DATA_BLOB data = state->data; - struct dcecli_connection *c = state->c; data.length = state->received; talloc_steal(state->c, data.data); talloc_free(state); @@ -128,8 +129,8 @@ static void smb_read_callback(struct smbcli_request *req) state->req = smb_raw_read_send(smb->tree, io); if (state->req == NULL) { - pipe_dead(state->c, NT_STATUS_NO_MEMORY); talloc_free(state); + pipe_dead(c, NT_STATUS_NO_MEMORY); return; } @@ -257,7 +258,7 @@ static NTSTATUS smb_send_trans_request(struct dcecli_connection *c, DATA_BLOB *b struct smb_trans_state *state; uint16_t max_data; - state = talloc(smb, struct smb_trans_state); + state = talloc(c, struct smb_trans_state); if (state == NULL) { return NT_STATUS_NO_MEMORY; } diff --git a/source4/librpc/rpc/dcerpc_smb2.c b/source4/librpc/rpc/dcerpc_smb2.c index 50aed8cfd8..59ee7a8fd8 100644 --- a/source4/librpc/rpc/dcerpc_smb2.c +++ b/source4/librpc/rpc/dcerpc_smb2.c @@ -78,6 +78,7 @@ struct smb2_read_state { */ static void smb2_read_callback(struct smb2_request *req) { + struct dcecli_connection *c; struct smb2_private *smb; struct smb2_read_state *state; struct smb2_read io; @@ -86,26 +87,27 @@ static void smb2_read_callback(struct smb2_request *req) state = talloc_get_type(req->async.private_data, struct smb2_read_state); smb = talloc_get_type(state->c->transport.private_data, struct smb2_private); + c = state->c; status = smb2_read_recv(req, state, &io); if (NT_STATUS_IS_ERR(status)) { - pipe_dead(state->c, status); talloc_free(state); + pipe_dead(c, status); return; } if (!data_blob_append(state, &state->data, io.out.data.data, io.out.data.length)) { - pipe_dead(state->c, NT_STATUS_NO_MEMORY); talloc_free(state); + pipe_dead(c, NT_STATUS_NO_MEMORY); return; } if (state->data.length < 16) { DEBUG(0,("dcerpc_smb2: short packet (length %d) in read callback!\n", (int)state->data.length)); - pipe_dead(state->c, NT_STATUS_INFO_LENGTH_MISMATCH); talloc_free(state); + pipe_dead(c, NT_STATUS_INFO_LENGTH_MISMATCH); return; } @@ -113,7 +115,6 @@ static void smb2_read_callback(struct smb2_request *req) if (frag_length <= state->data.length) { DATA_BLOB data = state->data; - struct dcecli_connection *c = state->c; talloc_steal(c, data.data); talloc_free(state); c->transport.recv_data(c, &data, NT_STATUS_OK); @@ -131,8 +132,8 @@ static void smb2_read_callback(struct smb2_request *req) req = smb2_read_send(smb->tree, &io); if (req == NULL) { - pipe_dead(state->c, NT_STATUS_NO_MEMORY); talloc_free(state); + pipe_dead(c, NT_STATUS_NO_MEMORY); return; } @@ -152,7 +153,7 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO struct smb2_read_state *state; struct smb2_request *req; - state = talloc(smb, struct smb2_read_state); + state = talloc(c, struct smb2_read_state); if (state == NULL) { return NT_STATUS_NO_MEMORY; } |