mirror of
https://github.com/samba-team/samba.git
synced 2025-12-06 16:23:49 +03:00
r2618: before we had refererence counts in talloc I added a hack in the
server side request structure to prevent a structing being freed in some circumstances. This change replaces this with the much more robust mechanism of talloc_increase_ref_count().
This commit is contained in:
Andrew Tridgell
committed by
Gerald (Jerry) Carter
Gerald (Jerry) Carter
parent
01a759b627
commit
3f7741f178
@@ -198,8 +198,6 @@ void reply_nttrans(struct smbsrv_request *req)
|
||||
params = trans.out.params.data;
|
||||
data = trans.out.data.data;
|
||||
|
||||
req->control_flags |= REQ_CONTROL_PROTECTED;
|
||||
|
||||
/* we need to divide up the reply into chunks that fit into
|
||||
the negotiated buffer size */
|
||||
do {
|
||||
@@ -254,9 +252,9 @@ void reply_nttrans(struct smbsrv_request *req)
|
||||
params += this_param;
|
||||
data += this_data;
|
||||
|
||||
/* if this is the last chunk then the request can be destroyed */
|
||||
if (params_left == 0 && data_left == 0) {
|
||||
req->control_flags &= ~REQ_CONTROL_PROTECTED;
|
||||
/* don't destroy unless this is the last segment */
|
||||
if (params_left != 0 || data_left != 0) {
|
||||
talloc_increase_ref_count(req);
|
||||
}
|
||||
|
||||
req_send_reply(req);
|
||||
|
||||
@@ -1332,13 +1332,9 @@ void reply_echo(struct smbsrv_request *req)
|
||||
|
||||
memcpy(req->out.data, req->in.data, req->in.data_size);
|
||||
|
||||
/* we need to make sure the request isn't destroyed till the
|
||||
* last packet */
|
||||
req->control_flags |= REQ_CONTROL_PROTECTED;
|
||||
|
||||
for (i=1; i <= count;i++) {
|
||||
if (i == count) {
|
||||
req->control_flags &= ~REQ_CONTROL_PROTECTED;
|
||||
if (i != count) {
|
||||
talloc_increase_ref_count(req);
|
||||
}
|
||||
|
||||
SSVAL(req->out.vwv, VWV(0), i);
|
||||
|
||||
@@ -30,12 +30,6 @@
|
||||
/* destroy a request structure */
|
||||
void req_destroy(struct smbsrv_request *req)
|
||||
{
|
||||
/* the request might be marked protected. This is done by the
|
||||
* SMBecho code for example */
|
||||
if (req->control_flags & REQ_CONTROL_PROTECTED) {
|
||||
return;
|
||||
}
|
||||
|
||||
/* ahh, its so nice to destroy a complex structure in such a
|
||||
* simple way! */
|
||||
talloc_free(req);
|
||||
|
||||
@@ -1323,8 +1323,6 @@ void reply_trans_generic(struct smbsrv_request *req, uint8_t command)
|
||||
params = trans.out.params.data;
|
||||
data = trans.out.data.data;
|
||||
|
||||
req->control_flags |= REQ_CONTROL_PROTECTED;
|
||||
|
||||
/* we need to divide up the reply into chunks that fit into
|
||||
the negotiated buffer size */
|
||||
do {
|
||||
@@ -1384,9 +1382,9 @@ void reply_trans_generic(struct smbsrv_request *req, uint8_t command)
|
||||
params += this_param;
|
||||
data += this_data;
|
||||
|
||||
/* if this is the last chunk then the request can be destroyed */
|
||||
if (params_left == 0 && data_left == 0) {
|
||||
req->control_flags &= ~REQ_CONTROL_PROTECTED;
|
||||
/* don't destroy unless this is the last chunk */
|
||||
if (params_left != 0 || data_left != 0) {
|
||||
talloc_increase_ref_count(req);
|
||||
}
|
||||
|
||||
req_send_reply(req);
|
||||
|
||||
Reference in New Issue
Block a user