From 045543b661c1ee2c1dac72203e634b9a08568081 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 25 Sep 2004 08:16:16 +0000 Subject: r2618: before we had refererence counts in talloc I added a hack in the server side request structure to prevent a structing being freed in some circumstances. This change replaces this with the much more robust mechanism of talloc_increase_ref_count(). (This used to be commit 3f7741f178b359f81cc98ef18cd69bf976123e9f) --- source4/smb_server/nttrans.c | 8 +++----- source4/smb_server/reply.c | 8 ++------ source4/smb_server/request.c | 6 ------ source4/smb_server/trans2.c | 8 +++----- 4 files changed, 8 insertions(+), 22 deletions(-) (limited to 'source4/smb_server') diff --git a/source4/smb_server/nttrans.c b/source4/smb_server/nttrans.c index bd8c49c594..683e9e3386 100644 --- a/source4/smb_server/nttrans.c +++ b/source4/smb_server/nttrans.c @@ -198,8 +198,6 @@ void reply_nttrans(struct smbsrv_request *req) params = trans.out.params.data; data = trans.out.data.data; - req->control_flags |= REQ_CONTROL_PROTECTED; - /* we need to divide up the reply into chunks that fit into the negotiated buffer size */ do { @@ -254,9 +252,9 @@ void reply_nttrans(struct smbsrv_request *req) params += this_param; data += this_data; - /* if this is the last chunk then the request can be destroyed */ - if (params_left == 0 && data_left == 0) { - req->control_flags &= ~REQ_CONTROL_PROTECTED; + /* don't destroy unless this is the last segment */ + if (params_left != 0 || data_left != 0) { + talloc_increase_ref_count(req); } req_send_reply(req); diff --git a/source4/smb_server/reply.c b/source4/smb_server/reply.c index 801327f086..72c7c20a11 100644 --- a/source4/smb_server/reply.c +++ b/source4/smb_server/reply.c @@ -1332,13 +1332,9 @@ void reply_echo(struct smbsrv_request *req) memcpy(req->out.data, req->in.data, req->in.data_size); - /* we need to make sure the request isn't destroyed till the - * last packet */ - req->control_flags |= REQ_CONTROL_PROTECTED; - for (i=1; i <= count;i++) { - if (i == count) { - req->control_flags &= ~REQ_CONTROL_PROTECTED; + if (i != count) { + talloc_increase_ref_count(req); } SSVAL(req->out.vwv, VWV(0), i); diff --git a/source4/smb_server/request.c b/source4/smb_server/request.c index 15e821b32b..3d78c0a55d 100644 --- a/source4/smb_server/request.c +++ b/source4/smb_server/request.c @@ -30,12 +30,6 @@ /* destroy a request structure */ void req_destroy(struct smbsrv_request *req) { - /* the request might be marked protected. This is done by the - * SMBecho code for example */ - if (req->control_flags & REQ_CONTROL_PROTECTED) { - return; - } - /* ahh, its so nice to destroy a complex structure in such a * simple way! */ talloc_free(req); diff --git a/source4/smb_server/trans2.c b/source4/smb_server/trans2.c index a5033f9b56..e681c9fe29 100644 --- a/source4/smb_server/trans2.c +++ b/source4/smb_server/trans2.c @@ -1323,8 +1323,6 @@ void reply_trans_generic(struct smbsrv_request *req, uint8_t command) params = trans.out.params.data; data = trans.out.data.data; - req->control_flags |= REQ_CONTROL_PROTECTED; - /* we need to divide up the reply into chunks that fit into the negotiated buffer size */ do { @@ -1384,9 +1382,9 @@ void reply_trans_generic(struct smbsrv_request *req, uint8_t command) params += this_param; data += this_data; - /* if this is the last chunk then the request can be destroyed */ - if (params_left == 0 && data_left == 0) { - req->control_flags &= ~REQ_CONTROL_PROTECTED; + /* don't destroy unless this is the last chunk */ + if (params_left != 0 || data_left != 0) { + talloc_increase_ref_count(req); } req_send_reply(req); -- cgit