s3: Fix a segfault in the RPC server

After converting the rpc infratructure to talloc, read_from_internal_pipe freed
the outdata too early. If the last fragment was read in two pieces (as
rpcclient does it), all the outdata was freed during the read of the first
piece of the read of the last fragment. Later read&x calls, trying to read the
rest of the last fragment stepped into p->out_data.frag with non-zero offset
when this was already freed.

diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index a77b9eabc0fa2efe708211b87431cb645028692f..e9339929dffff2f1c0aee30639c18c397e50f25e 100644 (file)
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -858,15 +858,16 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
                 * current_pdu_sent. */
                p->out_data.current_pdu_sent = 0;
                prs_mem_free(&p->out_data.frag);
-       }
 
-       if(p->out_data.data_sent_length >= prs_offset(&p->out_data.rdata)) {
-               /*
-                * We're completely finished with both outgoing and
-                * incoming data streams. It's safe to free all temporary
-                * data from this request.
-                */
-               free_pipe_context(p);
+               if (p->out_data.data_sent_length
+                   >= prs_offset(&p->out_data.rdata)) {
+                       /*
+                        * We're completely finished with both outgoing and
+                        * incoming data streams. It's safe to free all
+                        * temporary data from this request.
+                        */
+                       free_pipe_context(p);
+               }
        }
 
        return data_returned;