From a04f65b1c703e7622ebc1a85170f9980c2b33227 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Oct 2005 10:18:07 +0000 Subject: r10709: fixed a crash bug rather similar to the one volker found in the dcerpc code, where a stream_terminate_connection() while processing a request can cause a later defererence of the connection structure to die. (This used to be commit efbcb0f74176058a74d7134dae4658b891fc6f16) --- source4/ldap_server/ldap_server.c | 27 ++++++++++++++++++++++----- source4/ldap_server/ldap_server.h | 3 +++ 2 files changed, 25 insertions(+), 5 deletions(-) (limited to 'source4/ldap_server') diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index 71a7172e5c..83ce059756 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -40,11 +40,12 @@ static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn, const char *reason) { - if (conn->tls) { - talloc_free(conn->tls); - conn->tls = NULL; - } - stream_terminate_connection(conn->connection, reason); + /* we don't actually do the stream termination here as the + recv/send functions dereference the connection after the + packet processing callbacks. Instead we mark it for + termination and do the real termination in the send/recv + functions */ + conn->terminate = reason; } /* @@ -299,6 +300,14 @@ static void ldapsrv_recv(struct stream_connection *c, uint16_t flags) conn->processing = False; EVENT_FD_READABLE(c->event.fde); + + if (conn->terminate) { + if (conn->tls) { + talloc_free(conn->tls); + conn->tls = NULL; + } + stream_terminate_connection(conn->connection, conn->terminate); + } } /* @@ -331,6 +340,14 @@ static void ldapsrv_send(struct stream_connection *c, uint16_t flags) if (conn->send_queue == NULL) { EVENT_FD_NOT_WRITEABLE(c->event.fde); } + + if (conn->terminate) { + if (conn->tls) { + talloc_free(conn->tls); + conn->tls = NULL; + } + stream_terminate_connection(conn->connection, conn->terminate); + } } /* diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h index a1981843a6..2aa6530f9f 100644 --- a/source4/ldap_server/ldap_server.h +++ b/source4/ldap_server/ldap_server.h @@ -38,6 +38,9 @@ struct ldapsrv_connection { struct data_blob_list_item *send_queue; BOOL processing; + + /* connection should be terminated if non-null */ + const char *terminate; }; struct ldapsrv_call { -- cgit