r20178: Ensure we allocate the intermediate trans structs

off conn->mem_ctx, not the null context so we can
safefy free everything on conn close. Should fix
possible memleak.
Jeremy.

diff --git a/source/smbd/conn.c b/source/smbd/conn.c
index 19ed49e7bf4e86f038e0a650f7962281306c758c..083e8339c80bfac4073e7057f84c2c9abed71fe5 100644 (file)
--- a/source/smbd/conn.c
+++ b/source/smbd/conn.c
@@ -257,6 +257,7 @@ void conn_free_internal(connection_struct *conn)
 {
        vfs_handle_struct *handle = NULL, *thandle = NULL;
        TALLOC_CTX *mem_ctx = NULL;
+       struct trans_state *state = NULL;
 
        /* Free vfs_connection_struct */
        handle = conn->vfs_handles;
@@ -268,6 +269,13 @@ void conn_free_internal(connection_struct *conn)
                handle = thandle;
        }
 
+       /* Free any pending transactions stored on this conn. */
+       for (state = conn->pending_trans; state; state = state->next) {
+               /* state->setup is a talloc child of state. */
+               SAFE_FREE(state->param);
+               SAFE_FREE(state->data);
+       }
+
        free_namearray(conn->veto_list);
        free_namearray(conn->hide_list);
        free_namearray(conn->veto_oplock_list);

diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index 08381524c0d56455fd38df81d42c43f62a02efda..9d347a430bece263c83d8fa3a67eaa52b147927e 100644 (file)
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -447,7 +447,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
                return ERROR_NT(result);
        }
 
-       if ((state = TALLOC_P(NULL, struct trans_state)) == NULL) {
+       if ((state = TALLOC_P(conn->mem_ctx, struct trans_state)) == NULL) {
                DEBUG(0, ("talloc failed\n"));
                END_PROFILE(SMBtrans);
                return ERROR_NT(NT_STATUS_NO_MEMORY);
@@ -458,6 +458,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
        state->mid = SVAL(inbuf, smb_mid);
        state->vuid = SVAL(inbuf, smb_uid);
        state->setup_count = CVAL(inbuf, smb_suwcnt);
+       state->setup = NULL;
        state->total_param = SVAL(inbuf, smb_tpscnt);
        state->param = NULL;
        state->total_data = SVAL(inbuf, smb_tdscnt);

diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index 3ade5b01c6b47f1423f70c0518792796ebc017be..0cee4216670912eb3890ee0b8205f5df9c63c26a 100644 (file)
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -2845,7 +2845,7 @@ int reply_nttrans(connection_struct *conn,
                return ERROR_NT(result);
        }
 
-       if ((state = TALLOC_P(NULL, struct trans_state)) == NULL) {
+       if ((state = TALLOC_P(conn->mem_ctx, struct trans_state)) == NULL) {
                END_PROFILE(SMBnttrans);
                return ERROR_DOS(ERRSRV,ERRaccess);
        }
@@ -2862,6 +2862,7 @@ int reply_nttrans(connection_struct *conn,
 
        /* setup count is in *words* */
        state->setup_count = 2*CVAL(inbuf,smb_nt_SetupCount); 
+       state->setup = NULL;
        state->call = function_code;
 
        /* 

diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index f2f0150f6f8b303b47767c83185227065416bfe0..2f4bcb414fde7b94c17fe5ae78118e6051f82886 100644 (file)
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -5265,7 +5265,7 @@ int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,
                return ERROR_DOS(ERRSRV,ERRaccess);
        }
 
-       if ((state = TALLOC_P(NULL, struct trans_state)) == NULL) {
+       if ((state = TALLOC_P(conn->mem_ctx, struct trans_state)) == NULL) {
                DEBUG(0, ("talloc failed\n"));
                END_PROFILE(SMBtrans2);
                return ERROR_NT(NT_STATUS_NO_MEMORY);
@@ -5276,6 +5276,7 @@ int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,
        state->mid = SVAL(inbuf, smb_mid);
        state->vuid = SVAL(inbuf, smb_uid);
        state->setup_count = SVAL(inbuf, smb_suwcnt);
+       state->setup = NULL;
        state->total_param = SVAL(inbuf, smb_tpscnt);
        state->param = NULL;
        state->total_data =  SVAL(inbuf, smb_tdscnt);