Hi Tridge, On Tue, 2010-04-20 at 01:11 -0500, Andrew Tridgell wrote: > The branch, master has been updated > via f1c5239... pytalloc: ensure talloc_ctx is directly after > PyObject_HEAD > via 45be1c7... talloc: there is no ambiguity when freeing a ptr with > a null parent > via 773a8af... tdb: update tdb ABI to use hide_symbols=True > via cdaac0a... build: include uninitialised data in the ABI symbols > via 0e56037... build: quote cross-answer strings > via f2bd78c... build: allow "waf --abi-check" to force a re-check of > the ABI > from 538a07a... s4:provisionbackend Print the command we failed to > start slapd with > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master > > > - Log ----------------------------------------------------------------- > commit f1c523939b88aee0b1ce7375d68b06a0b8cf5d28 > Author: Andrew Tridgell <[email protected]> > Date: Tue Apr 20 15:33:00 2010 +1000 > > pytalloc: ensure talloc_ctx is directly after PyObject_HEAD > > the talloc python interface for tp_alloc and tp_dealloc relies on a > cast to a py_talloc_Object to find the talloc_ctx (see > py_talloc_dealloc). This means we rely on the talloc_ctx for the > object being directly after the PyObject_HEAD > > This fixes the talloc free with references bug in samba_dnsupdate > > The actual problem was the tp_alloc() call in > PyCredentialCacheContainer_from_ccache_container() which used a cast > from a py_talloc_Object to a PyCredentialCacheContainerObject. That > case effectively changed the parent/child relationship between the > talloc_ctx and the ccc ptr. > > This patch changes all the structures that follow this pattern to put > the TALLOC_CTX directly after the PyObject_HEAD, to ensure that if > anyone else decides to do a dangerous cast like this that it won't > cause the same sort of subtle breakage. > > Pair-Programmed-With: Rusty Russell <[email protected]> Thanks! This makes the bug less visible, but I think we should also make make the code fail in this situation and fix PyCredentialCacheContainerObject. Things like py_talloc_dealloc should ensure that they are only used with objects that were created using those functions, perhaps using a magic value?
Cheers, Jelmer
