Attachment 5597 Details for Bug 7159 – Patch for v3-4

[patch] Patch for v3-4

tmp.diff (text/plain), 3.88 KB, created by Stefan Metzmacher on 2010-04-06 08:21:58 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2010-04-06 08:21:58 UTC

Size: 3.88 KB

patch

obsolete

>From d30987ab93a33f01cb8c67fb9f9432a058208127 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Tue, 6 Apr 2010 12:20:02 +0200
>Subject: [PATCH 1/2] First part of fix for bug #7159 - client rpc_transport doesn't cope with bad server data returns.
>
>Ensure that subreq is *always* talloc_free'd in the _done
>function, as it has an event timeout attached. If the
>read requests look longer than the cli->timeout, then
>the timeout fn is called with already freed data.
>
>Jeremy.
>(cherry picked from commit ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7)
>(similar to commit 6e5b6b5acb30869eb63b25ed1406014101a5e89d)
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> source3/rpc_client/rpc_transport_np.c   |    4 ++++
> source3/rpc_client/rpc_transport_sock.c |   12 ++++++++++++
> 2 files changed, 16 insertions(+), 0 deletions(-)
>
>diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
>index 80ff384..fdfbab4 100644
>--- a/source3/rpc_client/rpc_transport_np.c
>+++ b/source3/rpc_client/rpc_transport_np.c
>@@ -159,6 +159,9 @@ static void rpc_np_read_done(struct async_req *subreq)
> 	NTSTATUS status;
> 	uint8_t *rcvbuf;
> 
>+	/* We must free subreq in this function as there is
>+	   a timer event attached to it. */
>+
> 	status = cli_read_andx_recv(subreq, &state->received, &rcvbuf);
> 	/*
> 	 * We can't TALLOC_FREE(subreq) as usual here, as rcvbuf still is a
>@@ -180,6 +183,7 @@ static void rpc_np_read_done(struct async_req *subreq)
> 	}
> 
> 	memcpy(state->data, rcvbuf, state->received);
>+	TALLOC_FREE(subreq);
> 	async_req_done(req);
> }
> 
>diff --git a/source3/rpc_client/rpc_transport_sock.c b/source3/rpc_client/rpc_transport_sock.c
>index b1d9d8f..7115dc4 100644
>--- a/source3/rpc_client/rpc_transport_sock.c
>+++ b/source3/rpc_client/rpc_transport_sock.c
>@@ -76,11 +76,17 @@ static void rpc_sock_read_done(struct tevent_req *subreq)
> 		req->private_data, struct rpc_sock_read_state);
> 	int err;
> 
>+	/* We must free subreq in this function as there is
>+	  a timer event attached to it. */
>+
> 	state->received = async_recv_recv(subreq, &err);
>+
> 	if (state->received == -1) {
>+		TALLOC_FREE(subreq);
> 		async_req_nterror(req, map_nt_error_from_unix(err));
> 		return;
> 	}
>+	TALLOC_FREE(subreq);
> 	async_req_done(req);
> }
> 
>@@ -137,11 +143,17 @@ static void rpc_sock_write_done(struct tevent_req *subreq)
> 		req->private_data, struct rpc_sock_write_state);
> 	int err;
> 
>+	/* We must free subreq in this function as there is
>+	  a timer event attached to it. */
>+
> 	state->sent = async_send_recv(subreq, &err);
>+
> 	if (state->sent == -1) {
>+		TALLOC_FREE(subreq);
> 		async_req_nterror(req, map_nt_error_from_unix(err));
> 		return;
> 	}
>+	TALLOC_FREE(subreq);
> 	async_req_done(req);
> }
> 
>-- 
>1.6.3.3
>
>
>From eebb19ca3c4172c7b0c217ca05d328c4a42836e2 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Fri, 19 Feb 2010 14:24:17 -0800
>Subject: [PATCH 2/2] Second part of fix for bug #7159 - client rpc_transport doesn't cope with bad server data returns.
>
>If server returns zero on a NP read. Report pipe broken.
>Prevents client from looping if it thinks there should be
>more data.
>
>Jeremy.
>(cherry picked from commit 0055e33dbed0e81548464d01bcf864255bab3159)
>(cherry picked from commit f5ca9f84e9b511c2ba7a4280b1997daa441f9877)
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> source3/rpc_client/rpc_transport_np.c |    6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
>diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
>index fdfbab4..4ea361b 100644
>--- a/source3/rpc_client/rpc_transport_np.c
>+++ b/source3/rpc_client/rpc_transport_np.c
>@@ -182,6 +182,12 @@ static void rpc_np_read_done(struct async_req *subreq)
> 		return;
> 	}
> 
>+	if (state->received == 0) {
>+		TALLOC_FREE(subreq);
>+		async_req_nterror(req, NT_STATUS_PIPE_BROKEN);
>+		return;
>+	}
>+
> 	memcpy(state->data, rcvbuf, state->received);
> 	TALLOC_FREE(subreq);
> 	async_req_done(req);
>-- 
>1.6.3.3
>

Flags:

jra: review+

Actions: View

Attachments on bug 7159: 5401 | 5402 | 5403 | 5597