From 4f331872bc783445c709e5fe4846b8687e274953 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Wed, 18 Jul 2012 04:54:31 +0930 Subject: [PATCH] talloc: don't allow a talloc_pool inside a talloc_pool. We explicitly call free() on a pool which falls to zero, assuming it's not inside another pool (we crash). Check on creation and explicitly document this case. Signed-off-by: Rusty Russell --- lib/talloc/talloc.c | 7 +++++++ lib/talloc/talloc.h | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c index 345f2129635..18ee5480957 100644 --- a/lib/talloc/talloc.c +++ b/lib/talloc/talloc.c @@ -604,6 +604,13 @@ _PUBLIC_ void *talloc_pool(const void *context, size_t size) } pool_tc = (union talloc_pool_chunk *)talloc_chunk_from_ptr(result); + if (unlikely(pool_tc->hdr.c.flags & TALLOC_FLAG_POOLMEM)) { + /* We don't handle this correctly, so fail. */ + talloc_log("talloc: cannot allocate pool off another pool %s\n", + talloc_get_name(context)); + talloc_free(result); + return NULL; + } pool_tc->hdr.c.flags |= TALLOC_FLAG_POOL; pool_tc->hdr.c.pool = tc_pool_first_chunk(pool_tc); diff --git a/lib/talloc/talloc.h b/lib/talloc/talloc.h index 05e6292405d..e48dc09a400 100644 --- a/lib/talloc/talloc.h +++ b/lib/talloc/talloc.h @@ -839,7 +839,8 @@ void *talloc_find_parent_bytype(const void *ptr, #type); * talloc pool to a talloc parent outside the pool, the whole pool memory is * not free(3)'ed until that moved chunk is also talloc_free()ed. * - * @param[in] context The talloc context to hang the result off. + * @param[in] context The talloc context to hang the result off (must not + * be another pool). * * @param[in] size Size of the talloc pool. *