mirror of
https://github.com/samba-team/samba.git
synced 2025-02-28 01:58:17 +03:00
8b2e01a206
If *async_reply isn't set then the calling code will reply to the control and free the control structure. In some places the control structure pointer is stolen onto state before a synchronous exit due to an error condition. The error handling then frees state and returns an error. The calling code will access-after-free when trying to reply to the control. To make this easier to understand, the convention is that any (immediate) error results in a synchronous reply to the control via an error return code AND *async_reply not being set. In this case the control structure pointer should never be stolen onto state. State is never used for a synchronous reply, it is only ever used by a callback. Also initialise state->c to NULL so that any premature call to a callback (e.g. in an immediate error path) is more obvious. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12180 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit 9d975b860d52030a702723c70791c6a2829107c0)