From 089ae5e43543a4654dddd42d61eb84a8036c4780 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Sun, 14 Dec 2003 03:51:48 +0000
Subject: fixed some memory leaks in the rpc server code (This used to be
 commit 20458556017f426ab57ca9a9d098cacecefbdcff)

---
 source4/lib/talloc.c               |  5 +++++
 source4/rpc_server/dcerpc_server.c | 19 +++++++------------
 source4/rpc_server/dcerpc_tcp.c    |  4 ++++
 3 files changed, 16 insertions(+), 12 deletions(-)

(limited to 'source4')

diff --git a/source4/lib/talloc.c b/source4/lib/talloc.c
index 25871feac1..59d4eac500 100644
--- a/source4/lib/talloc.c
+++ b/source4/lib/talloc.c
@@ -490,7 +490,9 @@ void talloc_free(TALLOC_CTX *ctx, void *ptr)
 	   list */
 	if (ctx->list->ptr == ptr) {
 		ctx->total_alloc_size -= ctx->list->size;
+		tc = ctx->list;
 		ctx->list = ctx->list->next;
+		free(tc);
 		free(ptr);
 		return;
 	}
@@ -501,8 +503,11 @@ void talloc_free(TALLOC_CTX *ctx, void *ptr)
 	}
 
 	if (tc->next) {
+		struct talloc_chunk *tc2 = tc->next;
 		ctx->total_alloc_size -= tc->next->size;
 		tc->next = tc->next->next;
+		free(tc2);
+		free(ptr);
 	} else {
 		DEBUG(0,("Attempt to free non-allocated chunk in context '%s'\n", 
 			 ctx->name));
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 81715f038b..7fa7a7aa8b 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -513,16 +513,15 @@ static void dce_partial_advance(struct dcesrv_state *dce, uint32 offset)
 	DATA_BLOB blob;
 
 	if (dce->partial_input.length == offset) {
-		talloc_free(dce->mem_ctx, dce->partial_input.data);
+		free(dce->partial_input.data);
 		dce->partial_input = data_blob(NULL, 0);
 		return;
 	}
 
 	blob = dce->partial_input;
-	dce->partial_input = data_blob_talloc(dce->mem_ctx, 
-					      blob.data + offset,
-					      blob.length - offset);
-	talloc_free(dce->mem_ctx, blob.data);
+	dce->partial_input = data_blob(blob.data + offset,
+				       blob.length - offset);
+	free(blob.data);
 }
 
 /*
@@ -567,7 +566,7 @@ NTSTATUS dcesrv_input_process(struct dcesrv_state *dce)
 		return status;
 	}
 
-	dce_partial_advance(dce, ndr->offset);
+	dce_partial_advance(dce, blob.length);
 
 	/* see if this is a continued packet */
 	if (!(call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST)) {
@@ -651,14 +650,10 @@ NTSTATUS dcesrv_input_process(struct dcesrv_state *dce)
 */
 NTSTATUS dcesrv_input(struct dcesrv_state *dce, const DATA_BLOB *data)
 {
-	struct ndr_pull *ndr;
-	TALLOC_CTX *mem_ctx;
 	NTSTATUS status;
-	struct dcesrv_call_state *call;
 
-	dce->partial_input.data = talloc_realloc(dce->mem_ctx,
-						 dce->partial_input.data,
-						 dce->partial_input.length + data->length);
+	dce->partial_input.data = Realloc(dce->partial_input.data,
+					  dce->partial_input.length + data->length);
 	if (!dce->partial_input.data) {
 		return NT_STATUS_NO_MEMORY;
 	}
diff --git a/source4/rpc_server/dcerpc_tcp.c b/source4/rpc_server/dcerpc_tcp.c
index ee026b3674..c9aeb400d0 100644
--- a/source4/rpc_server/dcerpc_tcp.c
+++ b/source4/rpc_server/dcerpc_tcp.c
@@ -100,10 +100,12 @@ static void dcerpc_read_handler(struct event_context *ev, struct fd_event *fde,
 
 	ret = read(fde->fd, blob.data, blob.length);
 	if (ret == 0 || (ret == -1 && errno != EINTR)) {
+		data_blob_free(&blob);
 		terminate_rpc_session(r, "eof on socket");
 		return;
 	}
 	if (ret == -1) {
+		data_blob_free(&blob);
 		return;
 	}
 
@@ -265,6 +267,8 @@ static void add_socket_rpc(struct event_context *events,
 					 r, e->endpoint_ops);
 		}
 	}
+
+	free(r);
 }
 
 /****************************************************************************
-- 
cgit