1
commit 8691709626b0d461de91b8fc9d10c730d1f183dd
2
Author: Volker Lendecke <vl@samba.org>
3
Date: Fri Jul 25 12:08:03 2008 +0200
5
Fix a race condition in winbind leading to a crash
7
When SIGCHLD handling is delayed for some reason, sending a request to a child
8
can fail early because the child has died already. In this case
9
async_main_request_sent() directly called the continuation function without
10
properly removing the malfunctioning child process and the requests in the
11
queue. The next request would then crash in the DLIST_ADD_END() in
12
async_request() because the request pending for the child had been
13
talloc_free()'ed and yet still was referenced in the list.
19
diff --git a/samba/source/winbindd/winbindd_dual.c b/source/winbindd/winbindd_dual.c
20
index 57ab627..f2be6d6 100644
21
--- a/samba/source/winbindd/winbindd_dual.c
22
+++ b/samba/source/winbindd/winbindd_dual.c
23
@@ -104,6 +104,7 @@ struct winbindd_async_request {
27
+static void async_request_fail(struct winbindd_async_request *state);
28
static void async_main_request_sent(void *private_data, bool success);
29
static void async_request_sent(void *private_data, bool success);
30
static void async_reply_recv(void *private_data, bool success);
31
@@ -129,6 +130,7 @@ void async_request(TALLOC_CTX *mem_ctx, struct winbindd_child *child,
33
state->mem_ctx = mem_ctx;
35
+ state->reply_timeout_event = NULL;
36
state->request = request;
37
state->response = response;
38
state->continuation = continuation;
39
@@ -148,10 +150,7 @@ static void async_main_request_sent(void *private_data, bool success)
42
DEBUG(5, ("Could not send async request\n"));
44
- state->response->length = sizeof(struct winbindd_response);
45
- state->response->result = WINBINDD_ERROR;
46
- state->continuation(state->private_data, False);
47
+ async_request_fail(state);