talloc: don't allow a talloc_pool inside a talloc_pool.

We explicitly call free() on a pool which falls to zero, assuming it's
not inside another pool (we crash).  Check on creation and explicitly
document this case.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

lib/talloc/talloc.c

@@ -604,6 +604,13 @@ _PUBLIC_ void *talloc_pool(const void *context, size_t size)
 	}
 
 	pool_tc = (union talloc_pool_chunk *)talloc_chunk_from_ptr(result);
+	if (unlikely(pool_tc->hdr.c.flags & TALLOC_FLAG_POOLMEM)) {
+		/* We don't handle this correctly, so fail. */
+		talloc_log("talloc: cannot allocate pool off another pool %s\n",
+			   talloc_get_name(context));
+		talloc_free(result);
+		return NULL;
+	}
 	pool_tc->hdr.c.flags |= TALLOC_FLAG_POOL;
 	pool_tc->hdr.c.pool = tc_pool_first_chunk(pool_tc);
 

lib/talloc/talloc.h

@@ -839,7 +839,8 @@ void *talloc_find_parent_bytype(const void *ptr, #type);
  * talloc pool to a talloc parent outside the pool, the whole pool memory is
  * not free(3)'ed until that moved chunk is also talloc_free()ed.
  *
- * @param[in]  context  The talloc context to hang the result off.
+ * @param[in]  context  The talloc context to hang the result off (must not
+ *			be another pool).
  *
  * @param[in]  size     Size of the talloc pool.
  *