r20160: Fix long-standing (ie. from initial code I think) bug

in tdb message processing. If we're inside a dispatch
function and we delete our own handler we'd walk onto
the next pointer from a deleted memory block. Fixes
crash bug in winbindd (and goodness knows where else).
Jeremy.
(This used to be commit 27a4c1121404e346432d90b97b518861e038e9f2)

diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index 93e12ebe35adabb3a89628246de238ba4443d736..10fc5af24d3fe83571c5bffd1d763f016bc6c2a7 100644 (file)
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -471,7 +471,6 @@ void message_dispatch(void)
        char *buf;
        char *msgs_buf;
        size_t len, total_len;
-       struct dispatch_fns *dfn;
        int n_handled;
 
        if (!received_signal)
@@ -485,11 +484,15 @@ void message_dispatch(void)
                return;
 
        for (buf = msgs_buf; message_recv(msgs_buf, total_len, &msg_type, &src, &buf, &len); buf += len) {
+               struct dispatch_fns *dfn, *next;
+
                DEBUG(10,("message_dispatch: received msg_type=%d "
                          "src_pid=%u\n", msg_type,
                          (unsigned int) procid_to_pid(&src)));
+
                n_handled = 0;
-               for (dfn = dispatch_fns; dfn; dfn = dfn->next) {
+               for (dfn = dispatch_fns; dfn; dfn = next) {
+                       next = dfn->next;                       
                        if (dfn->msg_type == msg_type) {
                                DEBUG(10,("message_dispatch: processing message of type %d.\n", msg_type));
                                dfn->fn(msg_type, src, len ? (void *)buf : NULL, len);