s4: Call va_end() after all va_start()/va_copy() calls.

This corrects the issues reaised in bug #6129, and some others that were not
originally identified.  It also accounts for some code that was in the original
bug report but appears to have since been made common between S3 and S4.

Thanks to Erik Hovland <erik@hovland.org> for the original bug report.

diff --git a/examples/libsmbclient/smbwrapper/smbw.c b/examples/libsmbclient/smbwrapper/smbw.c
index e2e44c1f0f47be0707828614584a92262f3b2d26..1356c78d04465e73b7d5807e85def9aebbd8e3cc 100644 (file)
--- a/examples/libsmbclient/smbwrapper/smbw.c
+++ b/examples/libsmbclient/smbwrapper/smbw.c
@@ -55,12 +55,9 @@ smbw_ref -- manipulate reference counts
 ******************************************************/
 int smbw_ref(int client_fd, Ref_Count_Type type, ...)
 {
-        va_list ap;
-
         /* client id values begin at SMBC_BASE_FC. */
         client_fd -= SMBC_BASE_FD;
 
-        va_start(ap, type);
         switch(type)
         {
         case SMBW_RCT_Increment:
@@ -73,9 +70,16 @@ int smbw_ref(int client_fd, Ref_Count_Type type, ...)
                 return smbw_ref_count[client_fd];
 
         case SMBW_RCT_Set:
-                return (smbw_ref_count[client_fd] = va_arg(ap, int));
+               {
+                       va_list ap;
+                       int ret;
+
+                       va_start(ap, type);
+                       ret = (smbw_ref_count[client_fd] = va_arg(ap, int));
+                       va_end(ap);
+                       return ret;
+               }
         }
-        va_end(ap);
 
         /* never gets here */
         return -1;

diff --git a/lib/torture/torture.c b/lib/torture/torture.c
index 17adce94e57395b923ada59b7fcd25a89d31d26d..99447e7e5355bd93b62e8fc0e65bdcea6dcddf37 100644 (file)
--- a/lib/torture/torture.c
+++ b/lib/torture/torture.c
@@ -107,6 +107,7 @@ void torture_comment(struct torture_context *context, const char *comment, ...)
 
        va_start(ap, comment);
        tmp = talloc_vasprintf(context, comment, ap);
+       va_end(ap);
                
        context->results->ui_ops->comment(context, tmp);
        
@@ -126,6 +127,7 @@ void torture_warning(struct torture_context *context, const char *comment, ...)
 
        va_start(ap, comment);
        tmp = talloc_vasprintf(context, comment, ap);
+       va_end(ap);
 
        context->results->ui_ops->warning(context, tmp);
 

diff --git a/libcli/auth/msrpc_parse.c b/libcli/auth/msrpc_parse.c
index 9125c1cd7877c3e85a3dc74ea93d23c9d0404ff5..50e0d5c2f97cb60d2ef8bdba117e089edb840bdb 100644 (file)
--- a/libcli/auth/msrpc_parse.c
+++ b/libcli/auth/msrpc_parse.c
@@ -71,6 +71,7 @@ bool msrpc_gen(TALLOC_CTX *mem_ctx,
                                (smb_ucs2_t **)(void *)&pointers[i].data,
                                s, &n);
                        if (!ret) {
+                               va_end(ap);
                                return false;
                        }
                        pointers[i].length = n;
@@ -84,6 +85,7 @@ bool msrpc_gen(TALLOC_CTX *mem_ctx,
                                pointers, (char **)(void *)&pointers[i].data,
                                s, &n);
                        if (!ret) {
+                               va_end(ap);
                                return false;
                        }
                        pointers[i].length = n;
@@ -99,6 +101,7 @@ bool msrpc_gen(TALLOC_CTX *mem_ctx,
                                (smb_ucs2_t **)(void *)&pointers[i].data,
                                s, &n);
                        if (!ret) {
+                               va_end(ap);
                                return false;
                        }
                        pointers[i].length = n;
@@ -192,6 +195,7 @@ bool msrpc_gen(TALLOC_CTX *mem_ctx,
 /* a helpful macro to avoid running over the end of our blob */
 #define NEED_DATA(amount) \
 if ((head_ofs + amount) > blob->length) { \
+        va_end(ap); \
         return false; \
 }
 

diff --git a/source4/lib/ldb/ldb_sqlite3/ldb_sqlite3.c b/source4/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
index 8acbac4cc3aad9bcbd95d1880265258c3885bda7..d0573d389e91e7b8241b5e375d41a09efb232378 100644 (file)
--- a/source4/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
+++ b/source4/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
@@ -485,6 +485,7 @@ query_int(const struct lsqlite3_private * lsqlite3,
 
         /* Format the query */
         if ((p = sqlite3_vmprintf(pSql, args)) == NULL) {
+               va_end(args);
                 return SQLITE_NOMEM;
         }