From 584f64c103341c93ac7b33a299cd8a20e48918da Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 28 Apr 2005 07:30:36 +0000 Subject: r6509: fixed a crash bug found by a-jutley@microsoft.com in RPC-RAP test (the call freed the memory it used to fill in the result structure) (This used to be commit b352ef1a4282ddadf85e635112ff51dc3222a854) --- source4/torture/rap/rap.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'source4/torture/rap') diff --git a/source4/torture/rap/rap.c b/source4/torture/rap/rap.c index f245bc679e..52fc100b23 100644 --- a/source4/torture/rap/rap.c +++ b/source4/torture/rap/rap.c @@ -207,6 +207,7 @@ static NTSTATUS rap_cli_do_call(struct smbcli_state *cli, struct rap_call *call) } while (0) static NTSTATUS smbcli_rap_netshareenum(struct smbcli_state *cli, + TALLOC_CTX *mem_ctx, struct rap_NetShareEnum *r) { struct rap_call *call; @@ -241,8 +242,7 @@ static NTSTATUS smbcli_rap_netshareenum(struct smbcli_state *cli, NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.count)); NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.available)); - r->out.info = talloc_array(call, union rap_shareenum_info, - r->out.count); + r->out.info = talloc_array(mem_ctx, union rap_shareenum_info, r->out.count); if (r->out.info == NULL) { result = NT_STATUS_NO_MEMORY; @@ -262,7 +262,7 @@ static NTSTATUS smbcli_rap_netshareenum(struct smbcli_state *cli, (uint8_t *)&r->out.info[i].info1.pad, 1)); NDR_OK(ndr_pull_uint16(call->ndr_pull_data, NDR_SCALARS, &r->out.info[i].info1.type)); - NDR_OK(rap_pull_string(call, call->ndr_pull_data, + NDR_OK(rap_pull_string(mem_ctx, call->ndr_pull_data, r->out.convert, &r->out.info[i].info1.comment)); break; @@ -280,11 +280,12 @@ static BOOL test_netshareenum(struct smbcli_state *cli) { struct rap_NetShareEnum r; int i; + TALLOC_CTX *tmp_ctx = talloc_new(cli); r.in.level = 1; r.in.bufsize = 8192; - if (!NT_STATUS_IS_OK(smbcli_rap_netshareenum(cli, &r))) + if (!NT_STATUS_IS_OK(smbcli_rap_netshareenum(cli, tmp_ctx, &r))) return False; for (i=0; indr_pull_param, NDR_SCALARS, &r->out.count)); NDR_OK(ndr_pull_uint16(call->ndr_pull_param, NDR_SCALARS, &r->out.available)); - r->out.info = talloc_array(call, union rap_server_info, - r->out.count); + r->out.info = talloc_array(mem_ctx, union rap_server_info, r->out.count); if (r->out.info == NULL) { result = NT_STATUS_NO_MEMORY; @@ -358,7 +361,7 @@ static NTSTATUS smbcli_rap_netserverenum2(struct smbcli_state *cli, &r->out.info[i].info1.version_minor, 1)); NDR_OK(ndr_pull_uint32(call->ndr_pull_data, NDR_SCALARS, &r->out.info[i].info1.servertype)); - NDR_OK(rap_pull_string(call, call->ndr_pull_data, + NDR_OK(rap_pull_string(mem_ctx, call->ndr_pull_data, r->out.convert, &r->out.info[i].info1.comment)); } @@ -375,6 +378,7 @@ static BOOL test_netserverenum(struct smbcli_state *cli) { struct rap_NetServerEnum2 r; int i; + TALLOC_CTX *tmp_ctx = talloc_new(cli); r.in.level = 0; r.in.bufsize = 8192; @@ -382,7 +386,7 @@ static BOOL test_netserverenum(struct smbcli_state *cli) r.in.servertype = 0x80000000; r.in.domain = NULL; - if (!NT_STATUS_IS_OK(smbcli_rap_netserverenum2(cli, &r))) + if (!NT_STATUS_IS_OK(smbcli_rap_netserverenum2(cli, tmp_ctx, &r))) return False; for (i=0; i