The branch, v3-5-test has been updated
via f5ca9f8... Second part of fix for bug #7159 - client rpc_transport
doesn't cope with bad server data returns.
via 6e5b6b5... First part of fix for bug #7159 - client rpc_transport
doesn't cope with bad server data returns.
from 78c6291... Fix one of the valgrind warnings from bug #6814 - Fixes
for problems reported by valgrind
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit f5ca9f84e9b511c2ba7a4280b1997daa441f9877
Author: Jeremy Allison <j...@samba.org>
Date: Fri Feb 19 14:24:17 2010 -0800
Second part of fix for bug #7159 - client rpc_transport doesn't cope with
bad server data returns.
If server returns zero on a NP read. Report pipe broken.
Prevents client from looping if it thinks there should be
more data.
Jeremy.
(cherry picked from commit 0055e33dbed0e81548464d01bcf864255bab3159)
commit 6e5b6b5acb30869eb63b25ed1406014101a5e89d
Author: Jeremy Allison <j...@samba.org>
Date: Fri Feb 19 14:18:51 2010 -0800
First part of fix for bug #7159 - client rpc_transport doesn't cope with
bad server data returns.
Ensure that subreq is *always* talloc_free'd in the _done
function, as it has an event timeout attached. If the
read requests look longer than the cli->timeout, then
the timeout fn is called with already freed data.
Jeremy.
(cherry picked from commit ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7)
-----------------------------------------------------------------------
Summary of changes:
source3/rpc_client/rpc_transport_np.c | 10 ++++++++++
source3/rpc_client/rpc_transport_sock.c | 12 ++++++++++++
2 files changed, 22 insertions(+), 0 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpc_client/rpc_transport_np.c
b/source3/rpc_client/rpc_transport_np.c
index fdcdfd3..1b9c7fc 100644
--- a/source3/rpc_client/rpc_transport_np.c
+++ b/source3/rpc_client/rpc_transport_np.c
@@ -157,6 +157,9 @@ static void rpc_np_read_done(struct tevent_req *subreq)
NTSTATUS status;
uint8_t *rcvbuf;
+ /* We must free subreq in this function as there is
+ a timer event attached to it. */
+
status = cli_read_andx_recv(subreq, &state->received, &rcvbuf);
/*
* We can't TALLOC_FREE(subreq) as usual here, as rcvbuf still is a
@@ -177,7 +180,14 @@ static void rpc_np_read_done(struct tevent_req *subreq)
return;
}
+ if (state->received == 0) {
+ TALLOC_FREE(subreq);
+ tevent_req_nterror(req, NT_STATUS_PIPE_BROKEN);
+ return;
+ }
+
memcpy(state->data, rcvbuf, state->received);
+ TALLOC_FREE(subreq);
tevent_req_done(req);
}
diff --git a/source3/rpc_client/rpc_transport_sock.c
b/source3/rpc_client/rpc_transport_sock.c
index df060e6..4ab17db 100644
--- a/source3/rpc_client/rpc_transport_sock.c
+++ b/source3/rpc_client/rpc_transport_sock.c
@@ -88,15 +88,21 @@ static void rpc_sock_read_done(struct tevent_req *subreq)
req, struct rpc_sock_read_state);
int err;
+ /* We must free subreq in this function as there is
+ a timer event attached to it. */
+
state->received = async_recv_recv(subreq, &err);
+
if (state->received == -1) {
if (state->transp->fd != -1) {
close(state->transp->fd);
state->transp->fd = -1;
}
+ TALLOC_FREE(subreq);
tevent_req_nterror(req, map_nt_error_from_unix(err));
return;
}
+ TALLOC_FREE(subreq);
tevent_req_done(req);
}
@@ -165,15 +171,21 @@ static void rpc_sock_write_done(struct tevent_req *subreq)
req, struct rpc_sock_write_state);
int err;
+ /* We must free subreq in this function as there is
+ a timer event attached to it. */
+
state->sent = async_send_recv(subreq, &err);
+
if (state->sent == -1) {
if (state->transp->fd != -1) {
close(state->transp->fd);
state->transp->fd = -1;
}
+ TALLOC_FREE(subreq);
tevent_req_nterror(req, map_nt_error_from_unix(err));
return;
}
+ TALLOC_FREE(subreq);
tevent_req_done(req);
}
--
Samba Shared Repository
