mirror of
https://github.com/samba-team/samba.git
synced 2024-12-25 23:21:54 +03:00
a4599b3011
In the NTVFS server we have the following talloc heirarchy: event_ctx | ---------------------------------------------------- .. other children | | | msg_dgm_ref srv_conn msg_dgm_ref ^ | | NTVFS structures | | | XXXXXX | | | | --------------------- pointer to msg_dgm_ref Some of the structures under NTVFS (marked XXXXX) can have pointers to imessaging contexts which internally have pointers to msg_dgm_ref structurs allocated off event_ctx. The original code calls: model_ops->terminate(event_ctx, srv_conn->lp_ctx, reason); talloc_free(srv_conn); But model_ops->terminate() calls talloc_free(event_ctx) and then calls exit(). In this case srv_conn is never explicitly freed, but only freed as a talloc child of the event_ctx. Depending on the ordering of the linked list of talloc children under event_ctx(which can be reordered via talloc_free/reinit of msg_dgm_ref) a pointer to msg_dgm_ref under srv_conn can be left pointing to memory that was already freed. This pointer is then used in the destructor for a file object called when srv_conn is freed. Re-ordering this to explicitly call TALLOC_FREE(srv_conn) first and then model_ops->terminate() fixes this problem. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sun Apr 2 05:18:39 CEST 2017 on sn-devel-144 |
||
---|---|---|
.. | ||
process_model.c | ||
process_model.h | ||
process_single.c | ||
process_standard.c | ||
server.c | ||
service_named_pipe.c | ||
service_stream.c | ||
service_stream.h | ||
service_task.c | ||
service_task.h | ||
service.c | ||
service.h | ||
wscript_build |