lib: talloc: As _tc_free_internal() takes a struct talloc_chunk *, add an extra paran...

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 428fb8aa7adf4fe4392775b04963647928c95306..cd0ec3d09e9eb0b2ac696d5e9342479dc8ae4e7a 100644 (file)
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -1034,6 +1034,20 @@ static inline int _tc_free_internal(struct talloc_chunk *tc,
 
        if (unlikely(tc->destructor)) {
                talloc_destructor_t d = tc->destructor;
+
+               /*
+                * Protect the destructor against some overwrite
+                * attacks, by explicitly checking it has the right
+                * magic here.
+                */
+               if (talloc_chunk_from_ptr(ptr) != tc) {
+                       /*
+                        * This can't actually happen, the
+                        * call itself will panic.
+                        */
+                       TALLOC_ABORT("talloc_chunk_from_ptr failed!");
+               }
+
                if (d == (talloc_destructor_t)-1) {
                        return -1;
                }