summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/librpc/rpc/dcerpc.c29
1 files changed, 29 insertions, 0 deletions
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 9e7abecf9b..c70340df70 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -1082,6 +1082,7 @@ static void dcerpc_timeout_handler(struct tevent_context *ev, struct tevent_time
}
struct dcerpc_bind_state {
+ struct tevent_context *ev;
struct dcerpc_pipe *p;
};
@@ -1109,6 +1110,7 @@ struct tevent_req *dcerpc_bind_send(TALLOC_CTX *mem_ctx,
return NULL;
}
+ state->ev = ev;
state->p = p;
p->syntax = *syntax;
@@ -1187,10 +1189,25 @@ static void dcerpc_bind_fail_handler(struct rpc_request *subreq)
struct tevent_req *req =
talloc_get_type_abort(subreq->async.private_data,
struct tevent_req);
+ struct dcerpc_bind_state *state =
+ tevent_req_data(req,
+ struct dcerpc_bind_state);
NTSTATUS status = subreq->status;
TALLOC_FREE(subreq);
+ /*
+ * We trigger the callback in the next event run
+ * because the code in this file might trigger
+ * multiple request callbacks from within a single
+ * while loop.
+ *
+ * In order to avoid segfaults from within
+ * dcerpc_connection_dead() we call
+ * tevent_req_defer_callback().
+ */
+ tevent_req_defer_callback(req, state->ev);
+
tevent_req_nterror(req, status);
}
@@ -1214,6 +1231,18 @@ static void dcerpc_bind_recv_handler(struct rpc_request *subreq,
talloc_steal(state, raw_packet->data);
TALLOC_FREE(subreq);
+ /*
+ * We trigger the callback in the next event run
+ * because the code in this file might trigger
+ * multiple request callbacks from within a single
+ * while loop.
+ *
+ * In order to avoid segfaults from within
+ * dcerpc_connection_dead() we call
+ * tevent_req_defer_callback().
+ */
+ tevent_req_defer_callback(req, state->ev);
+
if (pkt->ptype == DCERPC_PKT_BIND_NAK) {
status = dcerpc_map_reason(pkt->u.bind_nak.reject_reason);