s3: smbd: Now we free fsp->aio_requests when it gets zero entries, talloc in chunks...

Prevents incremental +1 tallocs, and the original
idea of this array was that it wasn't freed for
io efficiency reasons. Add paranoia integer wrap
protection also.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14301

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/smbd/aio.c b/source3/smbd/aio.c
index afe76608cd3ab0a450a9f9a8dacd336026374770..cf35f3297ec3344504d3abcb7916bd83ea1046a5 100644 (file)
--- a/source3/smbd/aio.c
+++ b/source3/smbd/aio.c
@@ -122,9 +122,19 @@ bool aio_add_req_to_fsp(files_struct *fsp, struct tevent_req *req)
        if (array_len <= fsp->num_aio_requests) {
                struct tevent_req **tmp;
 
+               if (fsp->num_aio_requests + 10 < 10) {
+                       /* Integer wrap. */
+                       TALLOC_FREE(lnk);
+                       return false;
+               }
+
+               /*
+                * Allocate in blocks of 10 so we don't allocate
+                * on every aio request.
+                */
                tmp = talloc_realloc(
                        fsp, fsp->aio_requests, struct tevent_req *,
-                       fsp->num_aio_requests+1);
+                       fsp->num_aio_requests+10);
                if (tmp == NULL) {
                        TALLOC_FREE(lnk);
                        return false;