diff options
author | Stefan Metzmacher <metze@samba.org> | 2018-07-09 12:33:34 +0200 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2018-07-10 20:31:13 +0200 |
commit | 1a9d6ce58939678f88b3081fb91c3309ff3cddb7 (patch) | |
tree | c981e6f6e581d80c65aaa3f2a6c4245ac6b1bc62 /selftest | |
parent | 0503bbab958754bc8ba32da8578602927ebf25c0 (diff) | |
download | samba-1a9d6ce58939678f88b3081fb91c3309ff3cddb7.tar.gz |
s3:messages: make the loop in msg_dgm_ref_recv() more robust against stale pointers
The interaction between msg_dgm_ref_recv() and msg_dgm_ref_destructor()
doesn't allow two references from messaging_dgm_ref() to be free'd
during the loop in msg_dgm_ref_recv().
In addition to the global 'refs' list, we also need to
have a global 'next_ref' pointer, which can be adjusted in
msg_dgm_ref_destructor().
As AD DC we hit this when using irpc in auth_winbind,
which uses imessaging_client_init().
In addition to the main messaging_dgm_ref() in smbd,
source3/auth/auth_samba4.c: prepare_gensec() and
make_auth4_context_s4() also generate a temporary
imessaging_context for auth_context->msg_ctx from within
auth_generic_prepare().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13514
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'selftest')
-rw-r--r-- | selftest/knownfail.d/imessaging | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/selftest/knownfail.d/imessaging b/selftest/knownfail.d/imessaging deleted file mode 100644 index af8fa8d615a..00000000000 --- a/selftest/knownfail.d/imessaging +++ /dev/null @@ -1 +0,0 @@ -^samba4.local.messaging.multi_ctx |