From e95e6044b06fa225b016f20ab53ee4082a8f5ae0 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 23 Jan 2006 14:02:17 +0000 Subject: r13081: correct fix for the segv in nmbd caused by a double free on namerec. (This used to be commit c908dbc4b260bac72cbc6d25f4728359a6ec8259) --- source3/nmbd/nmbd_namelistdb.c | 11 +++++------ source3/nmbd/nmbd_winsserver.c | 5 +++-- source3/rpc_server/srv_srvsvc_nt.c | 19 +++++++++++-------- source3/utils/status.c | 8 ++++---- 4 files changed, 23 insertions(+), 20 deletions(-) (limited to 'source3') diff --git a/source3/nmbd/nmbd_namelistdb.c b/source3/nmbd/nmbd_namelistdb.c index baaf5dbd54..60023a7ed5 100644 --- a/source3/nmbd/nmbd_namelistdb.c +++ b/source3/nmbd/nmbd_namelistdb.c @@ -80,14 +80,13 @@ static void upcase_name( struct nmb_name *target, const struct nmb_name *source void remove_name_from_namelist(struct subnet_record *subrec, struct name_record *namerec ) { - if (subrec == wins_server_subnet) { + if (subrec == wins_server_subnet) remove_name_from_wins_namelist(namerec); - return; - } - - subrec->namelist_changed = True; + else { + subrec->namelist_changed = True; + DLIST_REMOVE(subrec->namelist, namerec); + } - DLIST_REMOVE(subrec->namelist, namerec); SAFE_FREE(namerec->data.ip); ZERO_STRUCTP(namerec); SAFE_FREE(namerec); diff --git a/source3/nmbd/nmbd_winsserver.c b/source3/nmbd/nmbd_winsserver.c index 5c234bf8dc..9983efe5eb 100644 --- a/source3/nmbd/nmbd_winsserver.c +++ b/source3/nmbd/nmbd_winsserver.c @@ -290,8 +290,9 @@ BOOL remove_name_from_wins_namelist(struct name_record *namerec) DLIST_REMOVE(wins_server_subnet->namelist, namerec); SAFE_FREE(namerec->data.ip); - ZERO_STRUCTP(namerec); - SAFE_FREE(namerec); + + /* namerec must be freed by the caller */ + return (ret == 0) ? True : False; } diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c index 230f062662..b0e8111f62 100644 --- a/source3/rpc_server/srv_srvsvc_nt.c +++ b/source3/rpc_server/srv_srvsvc_nt.c @@ -2,8 +2,8 @@ * Unix SMB/CIFS implementation. * RPC Pipe client / server routines * Copyright (C) Andrew Tridgell 1992-1997, - * Copyright (C) Jeremy Allison 2001. - * Copyright (C) Nigel Williams 2001. + * Copyright (C) Jeremy Allison 2001. + * Copyright (C) Nigel Williams 2001. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -1539,6 +1539,7 @@ WERROR _srv_net_share_set_info(pipes_struct *p, SRV_Q_NET_SHARE_SET_INFO *q_u, S SEC_DESC *psd = NULL; SE_PRIV se_diskop = SE_DISK_OPERATOR; BOOL is_disk_op = False; + int max_connections = 0; DEBUG(5,("_srv_net_share_set_info: %d\n", __LINE__)); @@ -1583,6 +1584,7 @@ WERROR _srv_net_share_set_info(pipes_struct *p, SRV_Q_NET_SHARE_SET_INFO *q_u, S unistr2_to_ascii(comment, &q_u->info.share.info2.info_2_str.uni_remark, sizeof(comment)); unistr2_to_ascii(pathname, &q_u->info.share.info2.info_2_str.uni_path, sizeof(pathname)); type = q_u->info.share.info2.info_2.type; + max_connections = (q_u->info.share.info2.max_uses == 0xffffffff) ? 0 : q_u->info.share.info2.max_uses; psd = NULL; break; #if 0 @@ -1658,8 +1660,8 @@ WERROR _srv_net_share_set_info(pipes_struct *p, SRV_Q_NET_SHARE_SET_INFO *q_u, S return WERR_ACCESS_DENIED; } - slprintf(command, sizeof(command)-1, "%s \"%s\" \"%s\" \"%s\" \"%s\"", - lp_change_share_cmd(), dyn_CONFIGFILE, share_name, path, comment); + slprintf(command, sizeof(command)-1, "%s \"%s\" \"%s\" \"%s\" \"%s\" %d", + lp_change_share_cmd(), dyn_CONFIGFILE, share_name, path, comment, max_connections ); DEBUG(10,("_srv_net_share_set_info: Running [%s]\n", command )); @@ -1951,16 +1953,17 @@ WERROR _srv_net_remote_tod(pipes_struct *p, SRV_Q_NET_REMOTE_TOD *q_u, SRV_R_NET TIME_OF_DAY_INFO *tod; struct tm *t; time_t unixdate = time(NULL); + /* We do this call first as if we do it *after* the gmtime call it overwrites the pointed-to values. JRA */ + uint32 zone = get_time_zone(unixdate)/60; - tod = TALLOC_P(p->mem_ctx, TIME_OF_DAY_INFO); - if (!tod) + DEBUG(5,("_srv_net_remote_tod: %d\n", __LINE__)); + + if ( !(tod = TALLOC_ZERO_P(p->mem_ctx, TIME_OF_DAY_INFO)) ) return WERR_NOMEM; - ZERO_STRUCTP(tod); - r_u->tod = tod; r_u->ptr_srv_tod = 0x1; r_u->status = WERR_OK; diff --git a/source3/utils/status.c b/source3/utils/status.c index f19a217aa6..b9f1c161e4 100644 --- a/source3/utils/status.c +++ b/source3/utils/status.c @@ -103,13 +103,13 @@ static void print_share_mode(const struct share_mode_entry *e, const char *share static int count; if (count==0) { d_printf("Locked files:\n"); - d_printf("Pid DenyMode Access R/W Oplock SharePath Name\n"); - d_printf("----------------------------------------------------------------------------------\n"); + d_printf("Pid DenyMode Access R/W Oplock SharePath Name\n"); + d_printf("----------------------------------------------------------------------------------------\n"); } count++; if (Ucrit_checkPid(procid_to_pid(&e->pid))) { - d_printf("%s ",procid_str_static(&e->pid)); + d_printf("%-11s ",procid_str_static(&e->pid)); switch (map_share_mode_to_deny_mode(e->share_access, e->private_options)) { case DENY_NONE: d_printf("DENY_NONE "); break; @@ -166,7 +166,7 @@ static void print_brl(SMB_DEV_T dev, SMB_INO_T ino, struct process_id pid, } count++; - d_printf("%s %05x:%05x %s %9.0f %9.0f\n", + d_printf("%08s %05x:%05x %s %9.0f %9.0f\n", procid_str_static(&pid), (int)dev, (int)ino, lock_type==READ_LOCK?"R":"W", (double)start, (double)size); -- cgit