From 83b0c5d43f568222d97f9b8de985f1e39a375fb9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Wed, 24 Sep 2008 01:37:16 -0400
Subject: Fix nasty bug that would come up only if a client connection to a
 remote ldap server suddenly dies. We were creating a wrong talloc hierarchy,
 so the event.fde was not freed automatically as expected. This in turn made
 the event system call the ldap io handlers with a null packet structure,
 causing a segfault. Fix also the ordering in ldap_connection_dead() Thanks to
 Metze for the huge help in tracking down this one.

---
 source4/auth/gensec/gensec.h |  1 +
 source4/auth/gensec/socket.c | 13 +++++++------
 2 files changed, 8 insertions(+), 6 deletions(-)

(limited to 'source4/auth/gensec')

diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index 2830297ffe..84fc26d127 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -174,6 +174,7 @@ struct gensec_security;
 struct socket_context;
 
 NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
+			    TALLOC_CTX *mem_ctx, 
 			    struct socket_context *current_socket,
 			    struct event_context *ev,
 			    void (*recv_handler)(void *, uint16_t),
diff --git a/source4/auth/gensec/socket.c b/source4/auth/gensec/socket.c
index 27449bf610..319730e2ca 100644
--- a/source4/auth/gensec/socket.c
+++ b/source4/auth/gensec/socket.c
@@ -408,8 +408,10 @@ static NTSTATUS gensec_socket_send(struct socket_context *sock,
 }
 
 /* Turn a normal socket into a potentially GENSEC wrapped socket */
+/* CAREFUL: this function will steal 'current_socket' */
 
 NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
+			    TALLOC_CTX *mem_ctx,
 			    struct socket_context *current_socket,
 			    struct event_context *ev,
 			    void (*recv_handler)(void *, uint16_t),
@@ -420,7 +422,7 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
 	struct socket_context *new_sock;
 	NTSTATUS nt_status;
 
-	nt_status = socket_create_with_ops(current_socket, &gensec_socket_ops, &new_sock, 
+	nt_status = socket_create_with_ops(mem_ctx, &gensec_socket_ops, &new_sock, 
 					   SOCKET_TYPE_STREAM, current_socket->flags | SOCKET_FLAG_ENCRYPT);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		*new_socket = NULL;
@@ -432,22 +434,19 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
 	gensec_socket = talloc(new_sock, struct gensec_socket);
 	if (gensec_socket == NULL) {
 		*new_socket = NULL;
+		talloc_free(new_sock);
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	new_sock->private_data       = gensec_socket;
 	gensec_socket->socket        = current_socket;
 
-	if (talloc_reference(gensec_socket, current_socket) == NULL) {
-		*new_socket = NULL;
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	/* Nothing to do here, if we are not actually wrapping on this socket */
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) &&
 	    !gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		
 		gensec_socket->wrap = false;
+		talloc_steal(gensec_socket, current_socket);
 		*new_socket = new_sock;
 		return NT_STATUS_OK;
 	}
@@ -469,6 +468,7 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
 	gensec_socket->packet = packet_init(gensec_socket);
 	if (gensec_socket->packet == NULL) {
 		*new_socket = NULL;
+		talloc_free(new_sock);
 		return NT_STATUS_NO_MEMORY;
 	}
 
@@ -481,6 +481,7 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
 
 	/* TODO: full-request that knows about maximum packet size */
 
+	talloc_steal(gensec_socket, current_socket);
 	*new_socket = new_sock;
 	return NT_STATUS_OK;
 }
-- 
cgit