The branch, v3-5-test has been updated via f5ca9f8... Second part of fix for bug #7159 - client rpc_transport doesn't cope with bad server data returns. via 6e5b6b5... First part of fix for bug #7159 - client rpc_transport doesn't cope with bad server data returns. from 78c6291... Fix one of the valgrind warnings from bug #6814 - Fixes for problems reported by valgrind
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log ----------------------------------------------------------------- commit f5ca9f84e9b511c2ba7a4280b1997daa441f9877 Author: Jeremy Allison <j...@samba.org> Date: Fri Feb 19 14:24:17 2010 -0800 Second part of fix for bug #7159 - client rpc_transport doesn't cope with bad server data returns. If server returns zero on a NP read. Report pipe broken. Prevents client from looping if it thinks there should be more data. Jeremy. (cherry picked from commit 0055e33dbed0e81548464d01bcf864255bab3159) commit 6e5b6b5acb30869eb63b25ed1406014101a5e89d Author: Jeremy Allison <j...@samba.org> Date: Fri Feb 19 14:18:51 2010 -0800 First part of fix for bug #7159 - client rpc_transport doesn't cope with bad server data returns. Ensure that subreq is *always* talloc_free'd in the _done function, as it has an event timeout attached. If the read requests look longer than the cli->timeout, then the timeout fn is called with already freed data. Jeremy. (cherry picked from commit ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7) ----------------------------------------------------------------------- Summary of changes: source3/rpc_client/rpc_transport_np.c | 10 ++++++++++ source3/rpc_client/rpc_transport_sock.c | 12 ++++++++++++ 2 files changed, 22 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c index fdcdfd3..1b9c7fc 100644 --- a/source3/rpc_client/rpc_transport_np.c +++ b/source3/rpc_client/rpc_transport_np.c @@ -157,6 +157,9 @@ static void rpc_np_read_done(struct tevent_req *subreq) NTSTATUS status; uint8_t *rcvbuf; + /* We must free subreq in this function as there is + a timer event attached to it. */ + status = cli_read_andx_recv(subreq, &state->received, &rcvbuf); /* * We can't TALLOC_FREE(subreq) as usual here, as rcvbuf still is a @@ -177,7 +180,14 @@ static void rpc_np_read_done(struct tevent_req *subreq) return; } + if (state->received == 0) { + TALLOC_FREE(subreq); + tevent_req_nterror(req, NT_STATUS_PIPE_BROKEN); + return; + } + memcpy(state->data, rcvbuf, state->received); + TALLOC_FREE(subreq); tevent_req_done(req); } diff --git a/source3/rpc_client/rpc_transport_sock.c b/source3/rpc_client/rpc_transport_sock.c index df060e6..4ab17db 100644 --- a/source3/rpc_client/rpc_transport_sock.c +++ b/source3/rpc_client/rpc_transport_sock.c @@ -88,15 +88,21 @@ static void rpc_sock_read_done(struct tevent_req *subreq) req, struct rpc_sock_read_state); int err; + /* We must free subreq in this function as there is + a timer event attached to it. */ + state->received = async_recv_recv(subreq, &err); + if (state->received == -1) { if (state->transp->fd != -1) { close(state->transp->fd); state->transp->fd = -1; } + TALLOC_FREE(subreq); tevent_req_nterror(req, map_nt_error_from_unix(err)); return; } + TALLOC_FREE(subreq); tevent_req_done(req); } @@ -165,15 +171,21 @@ static void rpc_sock_write_done(struct tevent_req *subreq) req, struct rpc_sock_write_state); int err; + /* We must free subreq in this function as there is + a timer event attached to it. */ + state->sent = async_send_recv(subreq, &err); + if (state->sent == -1) { if (state->transp->fd != -1) { close(state->transp->fd); state->transp->fd = -1; } + TALLOC_FREE(subreq); tevent_req_nterror(req, map_nt_error_from_unix(err)); return; } + TALLOC_FREE(subreq); tevent_req_done(req); } -- Samba Shared Repository