mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
r20160: Fix long-standing (ie. from initial code I think) bug
in tdb message processing. If we're inside a dispatch function and we delete our own handler we'd walk onto the next pointer from a deleted memory block. Fixes crash bug in winbindd (and goodness knows where else). Jeremy.
This commit is contained in:
parent
20aa6322ef
commit
27a4c11214
@ -471,7 +471,6 @@ void message_dispatch(void)
|
||||
char *buf;
|
||||
char *msgs_buf;
|
||||
size_t len, total_len;
|
||||
struct dispatch_fns *dfn;
|
||||
int n_handled;
|
||||
|
||||
if (!received_signal)
|
||||
@ -485,11 +484,15 @@ void message_dispatch(void)
|
||||
return;
|
||||
|
||||
for (buf = msgs_buf; message_recv(msgs_buf, total_len, &msg_type, &src, &buf, &len); buf += len) {
|
||||
struct dispatch_fns *dfn, *next;
|
||||
|
||||
DEBUG(10,("message_dispatch: received msg_type=%d "
|
||||
"src_pid=%u\n", msg_type,
|
||||
(unsigned int) procid_to_pid(&src)));
|
||||
|
||||
n_handled = 0;
|
||||
for (dfn = dispatch_fns; dfn; dfn = dfn->next) {
|
||||
for (dfn = dispatch_fns; dfn; dfn = next) {
|
||||
next = dfn->next;
|
||||
if (dfn->msg_type == msg_type) {
|
||||
DEBUG(10,("message_dispatch: processing message of type %d.\n", msg_type));
|
||||
dfn->fn(msg_type, src, len ? (void *)buf : NULL, len);
|
||||
|
Loading…
Reference in New Issue
Block a user