r23057: only call the async recv function for the first pending receive, not

all pending receives, when the transport dies. This is because the
async callback most commonly shuts down the connection (it's the only
reasonable thing to do when it's dead), and that frees the whole
context. That means that if we loop more than once, we'll end up using
freed memory.

diff --git a/source/libcli/raw/clitransport.c b/source/libcli/raw/clitransport.c
index 8c4c7f7c4389ea756694e41fe8ae19b5db3055aa..ea2aa880b657c73de3ab38acc281d8b3f86606e1 100644 (file)
--- a/source/libcli/raw/clitransport.c
+++ b/source/libcli/raw/clitransport.c
@@ -138,8 +138,11 @@ void smbcli_transport_dead(struct smbcli_transport *transport, NTSTATUS status)
                status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
        }
 
-       /* kill all pending receives */
-       while (transport->pending_recv) {
+       /* kill only the first pending receive - this is so that if
+        that async function frees the connection we don't die trying
+        to use old memory. The caller has to cope with only one
+        network error */
+       if (transport->pending_recv) {
                struct smbcli_request *req = transport->pending_recv;
                req->state = SMBCLI_REQUEST_ERROR;
                req->status = status;