From: Jeremy Allison Date: Tue, 20 Oct 2020 19:14:58 +0000 (-0700) Subject: lib: talloc: Fix pool object accounting when doing talloc_realloc() in the ALWAYS_REA... X-Git-Tag: talloc-2.3.2~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6e0aab0b4038255b2d63e8687924a21d77bace91;p=thirdparty%2Fsamba.git lib: talloc: Fix pool object accounting when doing talloc_realloc() in the ALWAYS_REALLOC compiled case. tc_alloc_pool() or the fallback malloc can return NULL. Wait until we know we are returning a valid pointer before decrementing pool_hdr->object_count due to reallocing out of the talloc_pool. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540 Signed-off-by: Jeremy Allison Reviewed-by: Andrew Bartlett --- diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c index 54250c1b67d..885705234d4 100644 --- a/lib/talloc/talloc.c +++ b/lib/talloc/talloc.c @@ -1901,8 +1901,6 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons #if (ALWAYS_REALLOC != 0) if (pool_hdr) { new_ptr = tc_alloc_pool(tc, size + TC_HDR_SIZE, 0); - pool_hdr->object_count--; - if (new_ptr == NULL) { new_ptr = malloc(TC_HDR_SIZE+size); malloced = true; @@ -1912,6 +1910,11 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons if (new_ptr) { memcpy(new_ptr, tc, MIN(tc->size,size) + TC_HDR_SIZE); TC_INVALIDATE_FULL_CHUNK(tc); + /* + * Only decrement the object count in the pool once + * we know we're returning a valid new_ptr. + */ + pool_hdr->object_count--; } } else { /* We're doing malloc then free here, so record the difference. */