diff options
author | Andrew Tridgell <tridge@samba.org> | 2010-09-15 11:23:15 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-09-15 15:39:36 +1000 |
commit | a498ab90fbad872c36900a86fe7ccada64c3c4a7 (patch) | |
tree | 476e0640709f1515c21da466a874b012576683be /source4/rpc_server | |
parent | 0212800de8c6367c9da7939fc43a1fa23c7da2bf (diff) | |
download | samba-a498ab90fbad872c36900a86fe7ccada64c3c4a7.tar.gz samba-a498ab90fbad872c36900a86fe7ccada64c3c4a7.tar.bz2 samba-a498ab90fbad872c36900a86fe7ccada64c3c4a7.zip |
s4-rpc: fixed double free in RPC proxy
the unbind method is only called when the dcesrv_connection_context is
being destroyed (its called from the destructor). That means that priv
is either already free, or is about to be freed, so don't free it
again
Diffstat (limited to 'source4/rpc_server')
-rw-r--r-- | source4/rpc_server/remote/dcesrv_remote.c | 16 |
1 files changed, 4 insertions, 12 deletions
diff --git a/source4/rpc_server/remote/dcesrv_remote.c b/source4/rpc_server/remote/dcesrv_remote.c index 7ba39462fd..23c873799b 100644 --- a/source4/rpc_server/remote/dcesrv_remote.c +++ b/source4/rpc_server/remote/dcesrv_remote.c @@ -146,15 +146,6 @@ static NTSTATUS remote_op_bind(struct dcesrv_call_state *dce_call, const struct return NT_STATUS_OK; } -static void remote_op_unbind(struct dcesrv_connection_context *context, const struct dcesrv_interface *iface) -{ - struct dcesrv_remote_private *priv = (struct dcesrv_remote_private *)context->private_data; - - talloc_free(priv->c_pipe); - - return; -} - static NTSTATUS remote_op_ndr_pull(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct ndr_pull *pull, void **r) { enum ndr_err_code ndr_err; @@ -190,7 +181,8 @@ static void remote_op_dispatch_done(struct rpc_request *rreq); static NTSTATUS remote_op_dispatch(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, void *r) { - struct dcesrv_remote_private *priv = dce_call->context->private_data; + struct dcesrv_remote_private *priv = talloc_get_type_abort(dce_call->context->private_data, + struct dcesrv_remote_private); uint16_t opnum = dce_call->pkt.u.request.opnum; const struct ndr_interface_table *table = dce_call->context->iface->private_data; const struct ndr_interface_call *call; @@ -223,7 +215,8 @@ static void remote_op_dispatch_done(struct rpc_request *rreq) { struct dcesrv_call_state *dce_call = talloc_get_type_abort(rreq->async.private_data, struct dcesrv_call_state); - struct dcesrv_remote_private *priv = dce_call->context->private_data; + struct dcesrv_remote_private *priv = talloc_get_type_abort(dce_call->context->private_data, + struct dcesrv_remote_private); uint16_t opnum = dce_call->pkt.u.request.opnum; const struct ndr_interface_table *table = dce_call->context->iface->private_data; const struct ndr_interface_call *call; @@ -329,7 +322,6 @@ static bool remote_fill_interface(struct dcesrv_interface *iface, const struct n iface->syntax_id = if_tabl->syntax_id; iface->bind = remote_op_bind; - iface->unbind = remote_op_unbind; iface->ndr_pull = remote_op_ndr_pull; iface->dispatch = remote_op_dispatch; |