summaryrefslogtreecommitdiff
path: root/source4/rpc_server
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-09-15 11:23:15 +1000
committerAndrew Tridgell <tridge@samba.org>2010-09-15 15:39:36 +1000
commita498ab90fbad872c36900a86fe7ccada64c3c4a7 (patch)
tree476e0640709f1515c21da466a874b012576683be /source4/rpc_server
parent0212800de8c6367c9da7939fc43a1fa23c7da2bf (diff)
downloadsamba-a498ab90fbad872c36900a86fe7ccada64c3c4a7.tar.gz
samba-a498ab90fbad872c36900a86fe7ccada64c3c4a7.tar.bz2
samba-a498ab90fbad872c36900a86fe7ccada64c3c4a7.zip
s4-rpc: fixed double free in RPC proxy
the unbind method is only called when the dcesrv_connection_context is being destroyed (its called from the destructor). That means that priv is either already free, or is about to be freed, so don't free it again
Diffstat (limited to 'source4/rpc_server')
-rw-r--r--source4/rpc_server/remote/dcesrv_remote.c16
1 files changed, 4 insertions, 12 deletions
diff --git a/source4/rpc_server/remote/dcesrv_remote.c b/source4/rpc_server/remote/dcesrv_remote.c
index 7ba39462fd..23c873799b 100644
--- a/source4/rpc_server/remote/dcesrv_remote.c
+++ b/source4/rpc_server/remote/dcesrv_remote.c
@@ -146,15 +146,6 @@ static NTSTATUS remote_op_bind(struct dcesrv_call_state *dce_call, const struct
return NT_STATUS_OK;
}
-static void remote_op_unbind(struct dcesrv_connection_context *context, const struct dcesrv_interface *iface)
-{
- struct dcesrv_remote_private *priv = (struct dcesrv_remote_private *)context->private_data;
-
- talloc_free(priv->c_pipe);
-
- return;
-}
-
static NTSTATUS remote_op_ndr_pull(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct ndr_pull *pull, void **r)
{
enum ndr_err_code ndr_err;
@@ -190,7 +181,8 @@ static void remote_op_dispatch_done(struct rpc_request *rreq);
static NTSTATUS remote_op_dispatch(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, void *r)
{
- struct dcesrv_remote_private *priv = dce_call->context->private_data;
+ struct dcesrv_remote_private *priv = talloc_get_type_abort(dce_call->context->private_data,
+ struct dcesrv_remote_private);
uint16_t opnum = dce_call->pkt.u.request.opnum;
const struct ndr_interface_table *table = dce_call->context->iface->private_data;
const struct ndr_interface_call *call;
@@ -223,7 +215,8 @@ static void remote_op_dispatch_done(struct rpc_request *rreq)
{
struct dcesrv_call_state *dce_call = talloc_get_type_abort(rreq->async.private_data,
struct dcesrv_call_state);
- struct dcesrv_remote_private *priv = dce_call->context->private_data;
+ struct dcesrv_remote_private *priv = talloc_get_type_abort(dce_call->context->private_data,
+ struct dcesrv_remote_private);
uint16_t opnum = dce_call->pkt.u.request.opnum;
const struct ndr_interface_table *table = dce_call->context->iface->private_data;
const struct ndr_interface_call *call;
@@ -329,7 +322,6 @@ static bool remote_fill_interface(struct dcesrv_interface *iface, const struct n
iface->syntax_id = if_tabl->syntax_id;
iface->bind = remote_op_bind;
- iface->unbind = remote_op_unbind;
iface->ndr_pull = remote_op_ndr_pull;
iface->dispatch = remote_op_dispatch;