From 1941a6c92e3b3a47c5532404a100fc44de5ad165 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 24 Oct 2011 12:20:46 -0700 Subject: [PATCH] Try and fix bug #8384 - Windows XP clients seem to crash smbd process every once in a while. Remove the copy of the binding handle from struct notify_back_channel, use the direct pointer in struct rpc_pipe_client instead. Ensure we can't call the functions with a NULL binding handle. Autobuild-User: Jeremy Allison Autobuild-Date: Mon Oct 24 22:56:40 CEST 2011 on sn-devel-104 (cherry picked from commit 4ba00ab57b89e58a94b73f58fd83851ba54d771b) --- source3/rpc_server/spoolss/srv_spoolss_nt.c | 23 +++++++++++++++++------ 1 files changed, 17 insertions(+), 6 deletions(-) diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c index c886f34..34f4ca0 100644 --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c @@ -136,7 +136,6 @@ struct notify_back_channel { /* print notify back-channel pipe handle*/ struct rpc_pipe_client *cli_pipe; - struct dcerpc_binding_handle *binding_handle; uint32_t active_connections; }; @@ -249,6 +248,8 @@ static void srv_spoolss_replycloseprinter(int snum, /* weird if the test succeeds !!! */ if (prn_hnd->notify.cli_chan == NULL || + prn_hnd->notify.cli_chan->cli_pipe == NULL || + prn_hnd->notify.cli_chan->cli_pipe->binding_handle == NULL || prn_hnd->notify.cli_chan->active_connections == 0) { DEBUG(0, ("Trying to close unexisting backchannel!\n")); DLIST_REMOVE(back_channels, prn_hnd->notify.cli_chan); @@ -257,7 +258,7 @@ static void srv_spoolss_replycloseprinter(int snum, } status = dcerpc_spoolss_ReplyClosePrinter( - prn_hnd->notify.cli_chan->binding_handle, + prn_hnd->notify.cli_chan->cli_pipe->binding_handle, talloc_tos(), &prn_hnd->notify.cli_hnd, &result); @@ -273,7 +274,6 @@ static void srv_spoolss_replycloseprinter(int snum, /* if it's the last connection, deconnect the IPC$ share */ if (prn_hnd->notify.cli_chan->active_connections == 1) { - prn_hnd->notify.cli_chan->binding_handle = NULL; cli_shutdown(rpc_pipe_np_smb_conn(prn_hnd->notify.cli_chan->cli_pipe)); DLIST_REMOVE(back_channels, prn_hnd->notify.cli_chan); TALLOC_FREE(prn_hnd->notify.cli_chan); @@ -1253,6 +1253,8 @@ static int send_notify2_printer(TALLOC_CTX *mem_ctx, /* Is there notification on this handle? */ if (prn_hnd->notify.cli_chan == NULL || + prn_hnd->notify.cli_chan->cli_pipe == NULL || + prn_hnd->notify.cli_chan->cli_pipe->binding_handle == NULL || prn_hnd->notify.cli_chan->active_connections == 0) { return 0; } @@ -1285,7 +1287,7 @@ static int send_notify2_printer(TALLOC_CTX *mem_ctx, info.info0 = &info0; status = dcerpc_spoolss_RouterReplyPrinterEx( - prn_hnd->notify.cli_chan->binding_handle, + prn_hnd->notify.cli_chan->cli_pipe->binding_handle, mem_ctx, &prn_hnd->notify.cli_hnd, prn_hnd->notify.change, /* color */ @@ -2608,7 +2610,6 @@ static bool srv_spoolss_replyopenprinter(int snum, const char *printer, TALLOC_FREE(chan); return false; } - chan->binding_handle = chan->cli_pipe->binding_handle; DLIST_ADD(back_channels, chan); @@ -2620,6 +2621,16 @@ static bool srv_spoolss_replyopenprinter(int snum, const char *printer, true, FLAG_MSG_PRINT_NOTIFY); } + if (chan->cli_pipe == NULL || + chan->cli_pipe->binding_handle == NULL) { + DEBUG(0, ("srv_spoolss_replyopenprinter: error - " + "NULL %s for printer %s\n", + chan->cli_pipe == NULL ? + "chan->cli_pipe" : "chan->cli_pipe->binding_handle", + printer)); + return false; + } + /* * Tell the specific printing tdb we want messages for this printer * by registering our PID. @@ -2630,7 +2641,7 @@ static bool srv_spoolss_replyopenprinter(int snum, const char *printer, printer)); } - status = dcerpc_spoolss_ReplyOpenPrinter(chan->binding_handle, + status = dcerpc_spoolss_ReplyOpenPrinter(chan->cli_pipe->binding_handle, talloc_tos(), printer, localprinter, -- 1.7.3.1