From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 6 Apr 2010 10:20:02 +0000 (+0200)
Subject: First part of fix for bug #7159 - client rpc_transport doesn't cope with bad server... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0223d59ea950c8180047fd5de6c85f92c4e37ad2;p=thirdparty%2Fsamba.git

First part of fix for bug #7159 - client rpc_transport doesn't cope with bad server data returns.

Ensure that subreq is *always* talloc_free'd in the _done
function, as it has an event timeout attached. If the
read requests look longer than the cli->timeout, then
the timeout fn is called with already freed data.

Jeremy.
(cherry picked from commit ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7)
(similar to commit 6e5b6b5acb30869eb63b25ed1406014101a5e89d)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
index 80ff3840462..fdfbab4ceac 100644
--- a/source3/rpc_client/rpc_transport_np.c
+++ b/source3/rpc_client/rpc_transport_np.c
@@ -159,6 +159,9 @@ static void rpc_np_read_done(struct async_req *subreq)
 	NTSTATUS status;
 	uint8_t *rcvbuf;
 
+	/* We must free subreq in this function as there is
+	   a timer event attached to it. */
+
 	status = cli_read_andx_recv(subreq, &state->received, &rcvbuf);
 	/*
 	 * We can't TALLOC_FREE(subreq) as usual here, as rcvbuf still is a
@@ -180,6 +183,7 @@ static void rpc_np_read_done(struct async_req *subreq)
 	}
 
 	memcpy(state->data, rcvbuf, state->received);
+	TALLOC_FREE(subreq);
 	async_req_done(req);
 }
 
diff --git a/source3/rpc_client/rpc_transport_sock.c b/source3/rpc_client/rpc_transport_sock.c
index b1d9d8fbe13..7115dc4c928 100644
--- a/source3/rpc_client/rpc_transport_sock.c
+++ b/source3/rpc_client/rpc_transport_sock.c
@@ -76,11 +76,17 @@ static void rpc_sock_read_done(struct tevent_req *subreq)
 		req->private_data, struct rpc_sock_read_state);
 	int err;
 
+	/* We must free subreq in this function as there is
+	  a timer event attached to it. */
+
 	state->received = async_recv_recv(subreq, &err);
+
 	if (state->received == -1) {
+		TALLOC_FREE(subreq);
 		async_req_nterror(req, map_nt_error_from_unix(err));
 		return;
 	}
+	TALLOC_FREE(subreq);
 	async_req_done(req);
 }
 
@@ -137,11 +143,17 @@ static void rpc_sock_write_done(struct tevent_req *subreq)
 		req->private_data, struct rpc_sock_write_state);
 	int err;
 
+	/* We must free subreq in this function as there is
+	  a timer event attached to it. */
+
 	state->sent = async_send_recv(subreq, &err);
+
 	if (state->sent == -1) {
+		TALLOC_FREE(subreq);
 		async_req_nterror(req, map_nt_error_from_unix(err));
 		return;
 	}
+	TALLOC_FREE(subreq);
 	async_req_done(req);
 }