From de474974ea25df7738dd175126e3f1de0df47ea6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 23 Nov 2002 02:52:36 +0000 Subject: Lots of fixes for error paths where tdb_fetch() data need freeing. Found via a post from Arcady Chernyak . Jeremy. (This used to be commit 5d5762d1787db4392d2dff16024097c638b2d494) --- source3/groupdb/mapping.c | 29 ++++++++++++++++++----------- source3/intl/lang_tdb.c | 3 ++- source3/lib/gencache.c | 14 ++++++++++---- source3/lib/messages.c | 19 +++++++++++++------ source3/libsmb/namecache.c | 2 ++ source3/libsmb/netlogon_unigrp.c | 3 ++- source3/locking/locking.c | 4 +++- source3/locking/posix.c | 25 ++++++++++++++----------- source3/nmbd/nmbd_winsserver.c | 13 ++++++++++--- source3/printing/nt_printing.c | 19 +++++++++++-------- source3/printing/printing.c | 21 ++++++++++++++------- source3/rpc_parse/parse_prs.c | 3 ++- source3/tdb/tdbutil.c | 12 ++++++++---- source3/wrepld/process.c | 3 +++ 14 files changed, 112 insertions(+), 58 deletions(-) (limited to 'source3') diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index 0a2c1f3239..943183c061 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -498,8 +498,9 @@ BOOL remove_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set) } /**************************************************************************** -return the sid and the type of the unix group + Return the sid and the type of the unix group. ****************************************************************************/ + BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) { TDB_DATA kbuf, dbuf; @@ -523,7 +524,8 @@ BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) kbuf.dsize = strlen(key)+1; dbuf = tdb_fetch(tdb, kbuf); - if (!dbuf.dptr) return False; + if (!dbuf.dptr) + return False; ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount); @@ -559,10 +561,10 @@ BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) return True; } - /**************************************************************************** -return the sid and the type of the unix group + Return the sid and the type of the unix group. ****************************************************************************/ + BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv) { TDB_DATA kbuf, dbuf, newkey; @@ -585,7 +587,8 @@ BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv) if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue; dbuf = tdb_fetch(tdb, kbuf); - if (!dbuf.dptr) continue; + if (!dbuf.dptr) + continue; fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX)); @@ -624,8 +627,9 @@ BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv) } /**************************************************************************** -return the sid and the type of the unix group + Return the sid and the type of the unix group. ****************************************************************************/ + BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map, BOOL with_priv) { TDB_DATA kbuf, dbuf, newkey; @@ -648,7 +652,8 @@ BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map, BOOL with_priv) if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue; dbuf = tdb_fetch(tdb, kbuf); - if (!dbuf.dptr) continue; + if (!dbuf.dptr) + continue; fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX)); @@ -689,8 +694,9 @@ BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map, BOOL with_priv) } /**************************************************************************** - remove a group mapping entry + Remove a group mapping entry. ****************************************************************************/ + BOOL group_map_remove(DOM_SID sid) { TDB_DATA kbuf, dbuf; @@ -711,7 +717,8 @@ BOOL group_map_remove(DOM_SID sid) kbuf.dsize = strlen(key)+1; dbuf = tdb_fetch(tdb, kbuf); - if (!dbuf.dptr) return False; + if (!dbuf.dptr) + return False; SAFE_FREE(dbuf.dptr); @@ -721,10 +728,10 @@ BOOL group_map_remove(DOM_SID sid) return True; } - /**************************************************************************** -enumerate the group mapping + Enumerate the group mapping. ****************************************************************************/ + BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *num_entries, BOOL unix_only, BOOL with_priv) { diff --git a/source3/intl/lang_tdb.c b/source3/intl/lang_tdb.c index a86ea0a3f9..2c22d4ab5f 100644 --- a/source3/intl/lang_tdb.c +++ b/source3/intl/lang_tdb.c @@ -176,7 +176,8 @@ const char *lang_msg(const char *msgid) /* if the message isn't found then we still need to return a pointer that can be freed. Pity. */ - if (!data.dptr) return strdup(msgid); + if (!data.dptr) + return strdup(msgid); return (const char *)data.dptr; } diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c index 9e2009ad4a..a872f1331c 100644 --- a/source3/lib/gencache.c +++ b/source3/lib/gencache.c @@ -238,16 +238,18 @@ BOOL gencache_get(const char *keystr, char **valstr, time_t *timeout) /* fail completely if get null pointers passed */ SMB_ASSERT(keystr && valstr && timeout); - if (!gencache_init()) return False; + if (!gencache_init()) + return False; keybuf.dptr = strdup(keystr); keybuf.dsize = strlen(keystr); databuf = tdb_fetch(cache, keybuf); - if (databuf.dptr) { + if (databuf.dptr && databuf.dsize > TIMEOUT_LEN) { char* entry_buf = strndup(databuf.dptr, databuf.dsize); *valstr = (char*)malloc(sizeof(char) * (databuf.dsize - TIMEOUT_LEN)); + SAFE_FREE(databuf.dptr); sscanf(entry_buf, CACHE_DATA_FMT, (int*)timeout, *valstr); SAFE_FREE(entry_buf); @@ -256,6 +258,7 @@ BOOL gencache_get(const char *keystr, char **valstr, time_t *timeout) ctime(timeout))); return *timeout > time(NULL); } else { + SAFE_FREE(databuf.dptr); *valstr = NULL; timeout = NULL; DEBUG(10, ("Cache entry with key = %s couldn't be found\n", keystr)); @@ -300,7 +303,12 @@ void gencache_iterate(void (*fn)(const char* key, const char *value, time_t time * all of the entries. Validity verification is up to fn routine. */ databuf = tdb_fetch(cache, node->node_key); + if (!databuf.dptr || databuf.dsize <= TIMEOUT_LEN) { + SAFE_FREE(databuf.dptr); + continue; + } entry = strndup(databuf.dptr, databuf.dsize); + SAFE_FREE(databuf.dptr); valstr = (char*)malloc(sizeof(char) * (databuf.dsize - TIMEOUT_LEN)); sscanf(entry, CACHE_DATA_FMT, (int*)(&timeout), valstr); @@ -315,5 +323,3 @@ void gencache_iterate(void (*fn)(const char* key, const char *value, time_t time tdb_search_list_free(first_node); } - - diff --git a/source3/lib/messages.c b/source3/lib/messages.c index d9886a54da..36a23e28ab 100644 --- a/source3/lib/messages.c +++ b/source3/lib/messages.c @@ -180,10 +180,12 @@ BOOL message_send_pid(pid_t pid, int msg_type, const void *buf, size_t len, if (!dbuf.dptr) { /* its a new record */ p = (void *)malloc(len + sizeof(rec)); - if (!p) goto failed; + if (!p) + goto failed; memcpy(p, &rec, sizeof(rec)); - if (len > 0) memcpy((void *)((char*)p+sizeof(rec)), buf, len); + if (len > 0) + memcpy((void *)((char*)p+sizeof(rec)), buf, len); dbuf.dptr = p; dbuf.dsize = len + sizeof(rec); @@ -218,11 +220,13 @@ BOOL message_send_pid(pid_t pid, int msg_type, const void *buf, size_t len, /* we're adding to an existing entry */ p = (void *)malloc(dbuf.dsize + len + sizeof(rec)); - if (!p) goto failed; + if (!p) + goto failed; memcpy(p, dbuf.dptr, dbuf.dsize); memcpy((void *)((char*)p+dbuf.dsize), &rec, sizeof(rec)); - if (len > 0) memcpy((void *)((char*)p+dbuf.dsize+sizeof(rec)), buf, len); + if (len > 0) + memcpy((void *)((char*)p+dbuf.dsize+sizeof(rec)), buf, len); SAFE_FREE(dbuf.dptr); dbuf.dptr = p; @@ -256,7 +260,8 @@ static BOOL message_recv(int *msg_type, pid_t *src, void **buf, size_t *len) tdb_chainlock(tdb, kbuf); dbuf = tdb_fetch(tdb, kbuf); - if (dbuf.dptr == NULL || dbuf.dsize == 0) goto failed; + if (dbuf.dptr == NULL || dbuf.dsize == 0) + goto failed; memcpy(&rec, dbuf.dptr, sizeof(rec)); @@ -267,7 +272,8 @@ static BOOL message_recv(int *msg_type, pid_t *src, void **buf, size_t *len) if (rec.len > 0) { (*buf) = (void *)malloc(rec.len); - if (!(*buf)) goto failed; + if (!(*buf)) + goto failed; memcpy(*buf, dbuf.dptr+sizeof(rec), rec.len); } else { @@ -293,6 +299,7 @@ static BOOL message_recv(int *msg_type, pid_t *src, void **buf, size_t *len) failed: tdb_chainunlock(tdb, kbuf); + SAFE_FREE(dbuf.dptr); return False; } diff --git a/source3/libsmb/namecache.c b/source3/libsmb/namecache.c index 2252e8e59c..ce4cbc048c 100644 --- a/source3/libsmb/namecache.c +++ b/source3/libsmb/namecache.c @@ -196,6 +196,7 @@ BOOL namecache_fetch(const char *name, int name_type, struct in_addr **ip_list, tdb_delete(namecache_tdb, key); + SAFE_FREE(value.dptr); value = tdb_null; goto done; @@ -210,6 +211,7 @@ BOOL namecache_fetch(const char *name, int name_type, struct in_addr **ip_list, tdb_delete(namecache_tdb, key); + SAFE_FREE(value.dptr); value = tdb_null; goto done; diff --git a/source3/libsmb/netlogon_unigrp.c b/source3/libsmb/netlogon_unigrp.c index 979ff52bd3..ea9e790b7d 100644 --- a/source3/libsmb/netlogon_unigrp.c +++ b/source3/libsmb/netlogon_unigrp.c @@ -129,7 +129,8 @@ uint32* uni_group_cache_fetch(DOM_SID *domain, uint32 user_rid, /* There is no cached universal groups in netlogon_unigrp.tdb */ /* for this user. */ - if (!data.dptr) return NULL; + if (!data.dptr) + return NULL; /* Transfer data to receiver's memory context */ group_count = IVAL(&((uint32*)data.dptr)[0],0); diff --git a/source3/locking/locking.c b/source3/locking/locking.c index 3eb7ca4783..e8b6f3428f 100644 --- a/source3/locking/locking.c +++ b/source3/locking/locking.c @@ -652,8 +652,10 @@ BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type) size = dbuf.dsize + sizeof(share_mode_entry); p = malloc(size); - if (!p) + if (!p) { + SAFE_FREE(dbuf.dptr); return False; + } memcpy(p, dbuf.dptr, sizeof(*data)); fill_share_mode(p + sizeof(*data), fsp, port, op_type); memcpy(p + sizeof(*data) + sizeof(share_mode_entry), dbuf.dptr + sizeof(*data), diff --git a/source3/locking/posix.c b/source3/locking/posix.c index f7a8cd3d39..94055de2b0 100644 --- a/source3/locking/posix.c +++ b/source3/locking/posix.c @@ -149,7 +149,7 @@ static size_t get_posix_pending_close_entries(files_struct *fsp, int **entries) dbuf = tdb_fetch(posix_pending_close_tdb, kbuf); - if (!dbuf.dptr) { + if (!dbuf.dptr) { return 0; } @@ -176,7 +176,7 @@ static size_t get_posix_lock_entries(files_struct *fsp, struct posix_lock **entr dbuf = tdb_fetch(posix_lock_tdb, kbuf); - if (!dbuf.dptr) { + if (!dbuf.dptr) { return 0; } @@ -338,8 +338,9 @@ static BOOL delete_posix_lock_entry_by_index(files_struct *fsp, size_t entry) return True; fail: - SAFE_FREE(dbuf.dptr); - return False; + + SAFE_FREE(dbuf.dptr); + return False; } /**************************************************************************** @@ -385,17 +386,18 @@ static BOOL add_posix_lock_entry(files_struct *fsp, SMB_OFF_T start, SMB_OFF_T s goto fail; } - SAFE_FREE(dbuf.dptr); + SAFE_FREE(dbuf.dptr); DEBUG(10,("add_posix_lock: File %s: type = %s: start=%.0f size=%.0f: dev=%.0f inode=%.0f\n", fsp->fsp_name, posix_lock_type_name(lock_type), (double)start, (double)size, (double)fsp->dev, (double)fsp->inode )); - return True; + return True; fail: - SAFE_FREE(dbuf.dptr); - return False; + + SAFE_FREE(dbuf.dptr); + return False; } /**************************************************************************** @@ -492,13 +494,14 @@ static int delete_posix_lock_entry(files_struct *fsp, SMB_OFF_T start, SMB_OFF_T posix_lock_type_name(pl->lock_type), (double)pl->start, (double)pl->size, (unsigned int)num_overlapping_records )); - SAFE_FREE(dbuf.dptr); + SAFE_FREE(dbuf.dptr); return num_overlapping_records; fail: - SAFE_FREE(dbuf.dptr); - return -1; + + SAFE_FREE(dbuf.dptr); + return -1; } /**************************************************************************** diff --git a/source3/nmbd/nmbd_winsserver.c b/source3/nmbd/nmbd_winsserver.c index d67d25bb88..87391b35df 100644 --- a/source3/nmbd/nmbd_winsserver.c +++ b/source3/nmbd/nmbd_winsserver.c @@ -266,7 +266,8 @@ BOOL initialise_wins(void) continue; dbuf = tdb_fetch(tdb, kbuf); - if (!dbuf.dptr) continue; + if (!dbuf.dptr) + continue; fstrcpy(name_type, kbuf.dptr+strlen(ENTRY_PREFIX)); @@ -284,15 +285,20 @@ BOOL initialise_wins(void) wins_ip=*interpret_addr2(ip_str); /* Don't reload replica records */ - if (!ip_equal(wins_ip, our_fake_ip)) + if (!ip_equal(wins_ip, our_fake_ip)) { + SAFE_FREE(dbuf.dptr); continue; + } /* Don't reload released or tombstoned records */ - if ((wins_flags&WINS_STATE_MASK) != WINS_ACTIVE) + if ((wins_flags&WINS_STATE_MASK) != WINS_ACTIVE) { + SAFE_FREE(dbuf.dptr); continue; + } /* Allocate the space for the ip_list. */ if((ip_list = (struct in_addr *)malloc( num_ips * sizeof(struct in_addr))) == NULL) { + SAFE_FREE(dbuf.dptr); DEBUG(0,("initialise_wins: Malloc fail !\n")); return False; } @@ -324,6 +330,7 @@ BOOL initialise_wins(void) name, type, ttl, inet_ntoa(ip_list[0]), nb_flags)); } + SAFE_FREE(dbuf.dptr); SAFE_FREE(ip_list); } diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index a12f906526..1460bea084 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -212,10 +212,12 @@ static BOOL upgrade_to_version_3(void) if (strncmp(kbuf.dptr, FORMS_PREFIX, strlen(FORMS_PREFIX)) == 0) { DEBUG(0,("upgrade_to_version_3:moving form\n")); if (tdb_store(tdb_forms, kbuf, dbuf, TDB_REPLACE) != 0) { + SAFE_FREE(dbuf.dptr); DEBUG(0,("upgrade_to_version_3: failed to move form. Error (%s).\n", tdb_errorstr(tdb_forms))); return False; } if (tdb_delete(tdb_drivers, kbuf) != 0) { + SAFE_FREE(dbuf.dptr); DEBUG(0,("upgrade_to_version_3: failed to delete form. Error (%s)\n", tdb_errorstr(tdb_drivers))); return False; } @@ -224,10 +226,12 @@ static BOOL upgrade_to_version_3(void) if (strncmp(kbuf.dptr, PRINTERS_PREFIX, strlen(PRINTERS_PREFIX)) == 0) { DEBUG(0,("upgrade_to_version_3:moving printer\n")); if (tdb_store(tdb_printers, kbuf, dbuf, TDB_REPLACE) != 0) { + SAFE_FREE(dbuf.dptr); DEBUG(0,("upgrade_to_version_3: failed to move printer. Error (%s)\n", tdb_errorstr(tdb_printers))); return False; } if (tdb_delete(tdb_drivers, kbuf) != 0) { + SAFE_FREE(dbuf.dptr); DEBUG(0,("upgrade_to_version_3: failed to delete printer. Error (%s)\n", tdb_errorstr(tdb_drivers))); return False; } @@ -236,10 +240,12 @@ static BOOL upgrade_to_version_3(void) if (strncmp(kbuf.dptr, SECDESC_PREFIX, strlen(SECDESC_PREFIX)) == 0) { DEBUG(0,("upgrade_to_version_3:moving secdesc\n")); if (tdb_store(tdb_printers, kbuf, dbuf, TDB_REPLACE) != 0) { + SAFE_FREE(dbuf.dptr); DEBUG(0,("upgrade_to_version_3: failed to move secdesc. Error (%s)\n", tdb_errorstr(tdb_printers))); return False; } if (tdb_delete(tdb_drivers, kbuf) != 0) { + SAFE_FREE(dbuf.dptr); DEBUG(0,("upgrade_to_version_3: failed to delete secdesc. Error (%s)\n", tdb_errorstr(tdb_drivers))); return False; } @@ -1771,8 +1777,7 @@ static WERROR get_a_printer_driver_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 **info_ptr, driver.defaultdatatype); i=0; - while (len < dbuf.dsize) - { + while (len < dbuf.dsize) { fstring *tddfs; tddfs = (fstring *)Realloc(driver.dependentfiles, @@ -1793,8 +1798,7 @@ static WERROR get_a_printer_driver_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 **info_ptr, SAFE_FREE(dbuf.dptr); - if (len != dbuf.dsize) - { + if (len != dbuf.dsize) { SAFE_FREE(driver.dependentfiles); return get_a_printer_driver_3_default(info_ptr, drivername, arch); @@ -2918,8 +2922,7 @@ static WERROR get_a_printer_2(NT_PRINTER_INFO_LEVEL_2 **info_ptr, fstring sharen * See comments in get_a_printer_2_default() */ - if (lp_default_devmode(lp_servicenumber(sharename)) && !info.devmode) - { + if (lp_default_devmode(lp_servicenumber(sharename)) && !info.devmode) { DEBUG(8,("get_a_printer_2: Constructing a default device mode for [%s]\n", printername)); info.devmode = construct_nt_devicemode(printername); @@ -3160,8 +3163,8 @@ static BOOL set_driver_init_2( NT_PRINTER_INFO_LEVEL_2 *info_ptr ) */ if ( info.devmode ) { - ZERO_STRUCT(info.devmode->devicename); - fstrcpy(info.devmode->devicename, info_ptr->printername); + ZERO_STRUCT(info.devmode->devicename); + fstrcpy(info.devmode->devicename, info_ptr->printername); } /* diff --git a/source3/printing/printing.c b/source3/printing/printing.c index cc4d588e2d..a8f9097255 100644 --- a/source3/printing/printing.c +++ b/source3/printing/printing.c @@ -71,6 +71,7 @@ uint16 pjobid_to_rap(int snum, uint32 jobid) SAFE_FREE(data.dptr); return rap_jobid; } + SAFE_FREE(data.dptr); /* Not found - create and store mapping. */ rap_jobid = ++next_rap_jobid; if (rap_jobid == 0) @@ -99,6 +100,7 @@ BOOL rap_to_pjobid(uint16 rap_jobid, int *psnum, uint32 *pjobid) SAFE_FREE(data.dptr); return True; } + SAFE_FREE(data.dptr); return False; } @@ -117,8 +119,10 @@ static void rap_jobid_delete(int snum, uint32 jobid) key.dptr = (char *)&jinfo; key.dsize = sizeof(jinfo); data = tdb_fetch(rap_tdb, key); - if (!data.dptr || (data.dsize != sizeof(uint16))) + if (!data.dptr || (data.dsize != sizeof(uint16))) { + SAFE_FREE(data.dptr); return; + } memcpy(&rap_jobid, data.dptr, sizeof(uint16)); SAFE_FREE(data.dptr); @@ -404,8 +408,10 @@ static struct printjob *print_job_find(int snum, uint32 jobid) ZERO_STRUCT( pjob ); - if ( unpack_pjob( ret.dptr, ret.dsize, &pjob ) == -1 ) + if ( unpack_pjob( ret.dptr, ret.dsize, &pjob ) == -1 ) { + SAFE_FREE(ret.dptr); return NULL; + } SAFE_FREE(ret.dptr); return &pjob; @@ -580,8 +586,7 @@ static BOOL pjob_store(int snum, uint32 jobid, struct printjob *pjob) len += pack_devicemode(pjob->nt_devmode, buf+len, buflen-len); - if (buflen != len) - { + if (buflen != len) { char *tb; tb = (char *)Realloc(buf, len); @@ -593,8 +598,7 @@ static BOOL pjob_store(int snum, uint32 jobid, struct printjob *pjob) buf = tb; newlen = len; } - } - while ( buflen != len ); + } while ( buflen != len ); /* Store new data */ @@ -833,8 +837,10 @@ static pid_t get_updating_pid(fstring printer_name) data = tdb_fetch(pdb->tdb, key); release_print_db(pdb); - if (!data.dptr || data.dsize != sizeof(pid_t)) + if (!data.dptr || data.dsize != sizeof(pid_t)) { + SAFE_FREE(data.dptr); return (pid_t)-1; + } memcpy(&updating_pid, data.dptr, sizeof(pid_t)); SAFE_FREE(data.dptr); @@ -1065,6 +1071,7 @@ static TDB_DATA get_printer_notify_pid_list(TDB_CONTEXT *tdb, const char *printe if (data.dsize % 8) { DEBUG(0,("get_printer_notify_pid_list: Size of record for printer %s not a multiple of 8 !\n", printer_name )); tdb_delete_by_string(tdb, NOTIFY_PID_LIST_KEY ); + SAFE_FREE(data.dptr); ZERO_STRUCT(data); return data; } diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c index 843be33187..d4a9ec3eda 100644 --- a/source3/rpc_parse/parse_prs.c +++ b/source3/rpc_parse/parse_prs.c @@ -1274,7 +1274,8 @@ int tdb_prs_fetch(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps, TALLOC_CTX *me kbuf.dsize = strlen(keystr)+1; dbuf = tdb_fetch(tdb, kbuf); - if (!dbuf.dptr) return -1; + if (!dbuf.dptr) + return -1; ZERO_STRUCTP(ps); prs_init(ps, 0, mem_ctx, UNMARSHALL); diff --git a/source3/tdb/tdbutil.c b/source3/tdb/tdbutil.c index 5498872f8a..12db8b337f 100644 --- a/source3/tdb/tdbutil.c +++ b/source3/tdb/tdbutil.c @@ -139,9 +139,11 @@ int32 tdb_fetch_int32_byblob(TDB_CONTEXT *tdb, char *keyval, size_t len) key.dptr = keyval; key.dsize = len; data = tdb_fetch(tdb, key); - if (!data.dptr || data.dsize != sizeof(int32)) + if (!data.dptr || data.dsize != sizeof(int32)) { + SAFE_FREE(data.dptr); return -1; - + } + ret = IVAL(data.dptr,0); SAFE_FREE(data.dptr); return ret; @@ -198,9 +200,11 @@ BOOL tdb_fetch_uint32_byblob(TDB_CONTEXT *tdb, char *keyval, size_t len, uint32 key.dptr = keyval; key.dsize = len; data = tdb_fetch(tdb, key); - if (!data.dptr || data.dsize != sizeof(uint32)) + if (!data.dptr || data.dsize != sizeof(uint32)) { + SAFE_FREE(data.dptr); return False; - + } + *value = IVAL(data.dptr,0); SAFE_FREE(data.dptr); return True; diff --git a/source3/wrepld/process.c b/source3/wrepld/process.c index 56013d2e17..aca0500614 100644 --- a/source3/wrepld/process.c +++ b/source3/wrepld/process.c @@ -540,6 +540,7 @@ static void send_entry_request(GENERIC_PACKET *q, GENERIC_PACKET *r) /* Allocate the space for the ip_list. */ if((ip_list = (struct in_addr *)talloc(mem_ctx, num_ips * sizeof(struct in_addr))) == NULL) { + SAFE_FREE(dbuf.dptr); DEBUG(0,("initialise_wins: talloc fail !\n")); return; } @@ -549,6 +550,8 @@ static void send_entry_request(GENERIC_PACKET *q, GENERIC_PACKET *r) ip_list[i] = *interpret_addr2(ip_str); } + SAFE_FREE(dbuf.dptr); + /* add all entries that have 60 seconds or more to live */ if ((ttl - 60) > time_now || ttl == PERMANENT_TTL) { if(ttl != PERMANENT_TTL) -- cgit