First part of fix for bug #7159 - client rpc_transport doesn't cope with bad server...

Ensure that subreq is *always* talloc_free'd in the _done
function, as it has an event timeout attached. If the
read requests look longer than the cli->timeout, then
the timeout fn is called with already freed data.

Jeremy.
(cherry picked from commit ad77ae1d5870e06f8587ecf634e0b6bdcbb950d7)
(cherry picked from commit 6e5b6b5acb30869eb63b25ed1406014101a5e89d)

diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
index fdcdfd3a25ba4558cc9395eae28e3a25c48e3fc4..30c6f1fba3f0c8ae26b54970f32d400a508cdd9f 100644 (file)
--- a/source3/rpc_client/rpc_transport_np.c
+++ b/source3/rpc_client/rpc_transport_np.c
@@ -157,6 +157,9 @@ static void rpc_np_read_done(struct tevent_req *subreq)
        NTSTATUS status;
        uint8_t *rcvbuf;
 
+       /* We must free subreq in this function as there is
+          a timer event attached to it. */
+
        status = cli_read_andx_recv(subreq, &state->received, &rcvbuf);
        /*
         * We can't TALLOC_FREE(subreq) as usual here, as rcvbuf still is a
@@ -178,6 +181,7 @@ static void rpc_np_read_done(struct tevent_req *subreq)
        }
 
        memcpy(state->data, rcvbuf, state->received);
+       TALLOC_FREE(subreq);
        tevent_req_done(req);
 }
 

diff --git a/source3/rpc_client/rpc_transport_sock.c b/source3/rpc_client/rpc_transport_sock.c
index df060e61e99e7538a7e472eada94fc04f1255f3a..4ab17dbd8daf0f86e206f6203fef7a67592f6394 100644 (file)
--- a/source3/rpc_client/rpc_transport_sock.c
+++ b/source3/rpc_client/rpc_transport_sock.c
@@ -88,15 +88,21 @@ static void rpc_sock_read_done(struct tevent_req *subreq)
                req, struct rpc_sock_read_state);
        int err;
 
+       /* We must free subreq in this function as there is
+         a timer event attached to it. */
+
        state->received = async_recv_recv(subreq, &err);
+
        if (state->received == -1) {
                if (state->transp->fd != -1) {
                        close(state->transp->fd);
                        state->transp->fd = -1;
                }
+               TALLOC_FREE(subreq);
                tevent_req_nterror(req, map_nt_error_from_unix(err));
                return;
        }
+       TALLOC_FREE(subreq);
        tevent_req_done(req);
 }
 
@@ -165,15 +171,21 @@ static void rpc_sock_write_done(struct tevent_req *subreq)
                req, struct rpc_sock_write_state);
        int err;
 
+       /* We must free subreq in this function as there is
+         a timer event attached to it. */
+
        state->sent = async_send_recv(subreq, &err);
+
        if (state->sent == -1) {
                if (state->transp->fd != -1) {
                        close(state->transp->fd);
                        state->transp->fd = -1;
                }
+               TALLOC_FREE(subreq);
                tevent_req_nterror(req, map_nt_error_from_unix(err));
                return;
        }
+       TALLOC_FREE(subreq);
        tevent_req_done(req);
 }