svn commit: samba r24268 - in branches: SAMBA_3_2/source/smbd SAMBA_3_2_0/source/smbd

Tue, 07 Aug 2007 06:10:42 -0700 

Author: vlendec
Date: 2007-08-07 13:10:21 +0000 (Tue, 07 Aug 2007)
New Revision: 24268

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24268

Log:
Fix two crashes for spoolss

strlcpy does not like a NULL source. Fix a use-after-free.

Modified:
   branches/SAMBA_3_2/source/smbd/connection.c
   branches/SAMBA_3_2_0/source/smbd/connection.c


Changeset:
Modified: branches/SAMBA_3_2/source/smbd/connection.c
===================================================================
--- branches/SAMBA_3_2/source/smbd/connection.c 2007-08-07 11:50:03 UTC (rev 
24267)
+++ branches/SAMBA_3_2/source/smbd/connection.c 2007-08-07 13:10:21 UTC (rev 
24268)
@@ -206,7 +206,7 @@
                doreg ? "adding" : "removing",
                (unsigned int)msg_flags ));
 
-       if (!(rec = connections_fetch_entry(NULL, NULL, NULL))) {
+       if (!(rec = connections_fetch_entry(NULL, NULL, ""))) {
                DEBUG(0, ("connections_fetch_entry failed\n"));
                return False;
        }
@@ -225,17 +225,18 @@
 
        status = rec->store(rec, rec->value, TDB_REPLACE);
 
-       TALLOC_FREE(rec);
-
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0,("register_message_flags: tdb_store failed: %s.\n",
                         nt_errstr(status)));
+               TALLOC_FREE(rec);
                return False;
        }
 
        DEBUG(10,("register_message_flags: new flags 0x%x\n",
                (unsigned int)pcrec->bcast_msg_flags ));
 
+       TALLOC_FREE(rec);
+
        return True;
 }
 

Modified: branches/SAMBA_3_2_0/source/smbd/connection.c
===================================================================
--- branches/SAMBA_3_2_0/source/smbd/connection.c       2007-08-07 11:50:03 UTC 
(rev 24267)
+++ branches/SAMBA_3_2_0/source/smbd/connection.c       2007-08-07 13:10:21 UTC 
(rev 24268)
@@ -179,7 +179,7 @@
                doreg ? "adding" : "removing",
                (unsigned int)msg_flags ));
 
-       if (!(rec = connections_fetch_entry(NULL, NULL, NULL))) {
+       if (!(rec = connections_fetch_entry(NULL, NULL, ""))) {
                DEBUG(0, ("connections_fetch_entry failed\n"));
                return False;
        }
@@ -198,17 +198,18 @@
 
        status = rec->store(rec, rec->value, TDB_REPLACE);
 
-       TALLOC_FREE(rec);
-
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0,("register_message_flags: tdb_store failed: %s.\n",
                         nt_errstr(status)));
+               TALLOC_FREE(rec);
                return False;
        }
 
        DEBUG(10,("register_message_flags: new flags 0x%x\n",
                (unsigned int)pcrec->bcast_msg_flags ));
 
+       TALLOC_FREE(rec);
+
        return True;
 }

Reply via email to