summaryrefslogtreecommitdiff
path: root/source4/librpc/rpc
diff options
context:
space:
mode:
authorAndreas Schneider <asn@samba.org>2011-08-03 23:44:45 +0200
committerAndreas Schneider <asn@cryptomilk.org>2011-08-04 12:31:18 +0200
commit68e7b9307adabd9e3e12e95e0995051d366d8cf5 (patch)
tree991851d9e70f4d3acc00b89b3ab84fe9917bd589 /source4/librpc/rpc
parentfff3f290736f0b75903bfefeb961ee935930303b (diff)
downloadsamba-68e7b9307adabd9e3e12e95e0995051d366d8cf5.tar.gz
samba-68e7b9307adabd9e3e12e95e0995051d366d8cf5.tar.bz2
samba-68e7b9307adabd9e3e12e95e0995051d366d8cf5.zip
s4-librpc: Fix double free.
Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Thu Aug 4 12:31:18 CEST 2011 on sn-devel-104
Diffstat (limited to 'source4/librpc/rpc')
-rw-r--r--source4/librpc/rpc/dcerpc_smb.c11
-rw-r--r--source4/librpc/rpc/dcerpc_smb2.c13
2 files changed, 13 insertions, 11 deletions
diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c
index 395e067255..c2312953f8 100644
--- a/source4/librpc/rpc/dcerpc_smb.c
+++ b/source4/librpc/rpc/dcerpc_smb.c
@@ -79,6 +79,7 @@ struct smb_read_state {
*/
static void smb_read_callback(struct smbcli_request *req)
{
+ struct dcecli_connection *c;
struct smb_private *smb;
struct smb_read_state *state;
union smb_read *io;
@@ -88,11 +89,12 @@ static void smb_read_callback(struct smbcli_request *req)
state = talloc_get_type(req->async.private_data, struct smb_read_state);
smb = talloc_get_type(state->c->transport.private_data, struct smb_private);
io = state->io;
+ c = state->c;
status = smb_raw_read_recv(state->req, io);
if (NT_STATUS_IS_ERR(status)) {
- pipe_dead(state->c, status);
talloc_free(state);
+ pipe_dead(c, status);
return;
}
@@ -101,8 +103,8 @@ static void smb_read_callback(struct smbcli_request *req)
if (state->received < 16) {
DEBUG(0,("dcerpc_smb: short packet (length %d) in read callback!\n",
(int)state->received));
- pipe_dead(state->c, NT_STATUS_INFO_LENGTH_MISMATCH);
talloc_free(state);
+ pipe_dead(c, NT_STATUS_INFO_LENGTH_MISMATCH);
return;
}
@@ -110,7 +112,6 @@ static void smb_read_callback(struct smbcli_request *req)
if (frag_length <= state->received) {
DATA_BLOB data = state->data;
- struct dcecli_connection *c = state->c;
data.length = state->received;
talloc_steal(state->c, data.data);
talloc_free(state);
@@ -128,8 +129,8 @@ static void smb_read_callback(struct smbcli_request *req)
state->req = smb_raw_read_send(smb->tree, io);
if (state->req == NULL) {
- pipe_dead(state->c, NT_STATUS_NO_MEMORY);
talloc_free(state);
+ pipe_dead(c, NT_STATUS_NO_MEMORY);
return;
}
@@ -257,7 +258,7 @@ static NTSTATUS smb_send_trans_request(struct dcecli_connection *c, DATA_BLOB *b
struct smb_trans_state *state;
uint16_t max_data;
- state = talloc(smb, struct smb_trans_state);
+ state = talloc(c, struct smb_trans_state);
if (state == NULL) {
return NT_STATUS_NO_MEMORY;
}
diff --git a/source4/librpc/rpc/dcerpc_smb2.c b/source4/librpc/rpc/dcerpc_smb2.c
index 50aed8cfd8..59ee7a8fd8 100644
--- a/source4/librpc/rpc/dcerpc_smb2.c
+++ b/source4/librpc/rpc/dcerpc_smb2.c
@@ -78,6 +78,7 @@ struct smb2_read_state {
*/
static void smb2_read_callback(struct smb2_request *req)
{
+ struct dcecli_connection *c;
struct smb2_private *smb;
struct smb2_read_state *state;
struct smb2_read io;
@@ -86,26 +87,27 @@ static void smb2_read_callback(struct smb2_request *req)
state = talloc_get_type(req->async.private_data, struct smb2_read_state);
smb = talloc_get_type(state->c->transport.private_data, struct smb2_private);
+ c = state->c;
status = smb2_read_recv(req, state, &io);
if (NT_STATUS_IS_ERR(status)) {
- pipe_dead(state->c, status);
talloc_free(state);
+ pipe_dead(c, status);
return;
}
if (!data_blob_append(state, &state->data,
io.out.data.data, io.out.data.length)) {
- pipe_dead(state->c, NT_STATUS_NO_MEMORY);
talloc_free(state);
+ pipe_dead(c, NT_STATUS_NO_MEMORY);
return;
}
if (state->data.length < 16) {
DEBUG(0,("dcerpc_smb2: short packet (length %d) in read callback!\n",
(int)state->data.length));
- pipe_dead(state->c, NT_STATUS_INFO_LENGTH_MISMATCH);
talloc_free(state);
+ pipe_dead(c, NT_STATUS_INFO_LENGTH_MISMATCH);
return;
}
@@ -113,7 +115,6 @@ static void smb2_read_callback(struct smb2_request *req)
if (frag_length <= state->data.length) {
DATA_BLOB data = state->data;
- struct dcecli_connection *c = state->c;
talloc_steal(c, data.data);
talloc_free(state);
c->transport.recv_data(c, &data, NT_STATUS_OK);
@@ -131,8 +132,8 @@ static void smb2_read_callback(struct smb2_request *req)
req = smb2_read_send(smb->tree, &io);
if (req == NULL) {
- pipe_dead(state->c, NT_STATUS_NO_MEMORY);
talloc_free(state);
+ pipe_dead(c, NT_STATUS_NO_MEMORY);
return;
}
@@ -152,7 +153,7 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO
struct smb2_read_state *state;
struct smb2_request *req;
- state = talloc(smb, struct smb2_read_state);
+ state = talloc(c, struct smb2_read_state);
if (state == NULL) {
return NT_STATUS_NO_MEMORY;
}