sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-08 05:57:51 +03:00
Code

r4935: fixed a bug where "c->status = xxx_handler(x);" could write to c after

Browse Source 
it is freed. The problem is that the handler might complete the
request, and called the c->async.fn() async handler. That handler
might free the request handle.
This commit is contained in:
Andrew Tridgell 2005-01-23 00:51:20 +00:00 committed by Gerald (Jerry) Carter
parent 362151788b
commit c4faceadc7
3 changed files with 22 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
source/libcli/composite/connect.c
View File

@ -277,29 +277,31 @@ static NTSTATUS connect_resolve(struct smbcli_composite *c,
static void state_handler(struct smbcli_composite *c)
{
struct connect_state *state = talloc_get_type(c->private, struct connect_state);
NTSTATUS status;
switch (state->stage) {
case CONNECT_RESOLVE:
c->status = connect_resolve(c, state->io);
status = connect_resolve(c, state->io);
break;
case CONNECT_SOCKET:
c->status = connect_socket(c, state->io);
status = connect_socket(c, state->io);
break;
case CONNECT_SESSION_REQUEST:
c->status = connect_session_request(c, state->io);
status = connect_session_request(c, state->io);
break;
case CONNECT_NEGPROT:
c->status = connect_negprot(c, state->io);
status = connect_negprot(c, state->io);
break;
case CONNECT_SESSION_SETUP:
c->status = connect_session_setup(c, state->io);
status = connect_session_setup(c, state->io);
break;
case CONNECT_TCON:
c->status = connect_tcon(c, state->io);
status = connect_tcon(c, state->io);
break;
}
if (!NT_STATUS_IS_OK(c->status)) {
if (!NT_STATUS_IS_OK(status)) {
c->status = status;
c->state = SMBCLI_REQUEST_ERROR;
if (c->async.fn) {
c->async.fn(c);

11
source/libcli/composite/loadfile.c
View File

@ -185,24 +185,26 @@ static void loadfile_handler(struct smbcli_request *req)
{
struct smbcli_composite *c = req->async.private;
struct loadfile_state *state = talloc_get_type(c->private, struct loadfile_state);
NTSTATUS status;
/* when this handler is called, the stage indicates what
call has just finished */
switch (state->stage) {
case LOADFILE_OPEN:
c->status = loadfile_open(c, state->io);
status = loadfile_open(c, state->io);
break;
case LOADFILE_READ:
c->status = loadfile_read(c, state->io);
status = loadfile_read(c, state->io);
break;
case LOADFILE_CLOSE:
c->status = loadfile_close(c, state->io);
status = loadfile_close(c, state->io);
break;
}
if (!NT_STATUS_IS_OK(c->status)) {
if (!NT_STATUS_IS_OK(status)) {
c->status = status;
c->state = SMBCLI_REQUEST_ERROR;
if (c->async.fn) {
c->async.fn(c);
@ -291,3 +293,4 @@ NTSTATUS smb_composite_loadfile(struct smbcli_tree *tree,
struct smbcli_composite *c = smb_composite_loadfile_send(tree, io);
return smb_composite_loadfile_recv(c, mem_ctx);
}

10
source/libcli/composite/savefile.c
View File

@ -186,24 +186,26 @@ static void savefile_handler(struct smbcli_request *req)
{
struct smbcli_composite *c = req->async.private;
struct savefile_state *state = talloc_get_type(c->private, struct savefile_state);
NTSTATUS status;
/* when this handler is called, the stage indicates what
call has just finished */
switch (state->stage) {
case SAVEFILE_OPEN:
c->status = savefile_open(c, state->io);
status = savefile_open(c, state->io);
break;
case SAVEFILE_WRITE:
c->status = savefile_write(c, state->io);
status = savefile_write(c, state->io);
break;
case SAVEFILE_CLOSE:
c->status = savefile_close(c, state->io);
status = savefile_close(c, state->io);
break;
}
if (!NT_STATUS_IS_OK(c->status)) {
if (!NT_STATUS_IS_OK(status)) {
c->status = status;
c->state = SMBCLI_REQUEST_ERROR;
if (c->async.fn) {
c->async.fn(c);