s4:kdc: Avoid potential use‐after‐free

We must allocate the domain groups on to the correct memory context,
lest they get freed prematurely.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 2482cdce4591cebbd651a265bcbcda18eaa82d99..dcef5da2f9a13770b0ddf814875db37611260161 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1707,8 +1707,7 @@ out:
        return ret;
 }
 
-static krb5_error_code samba_kdc_add_domain_group_sid(TALLOC_CTX *mem_ctx,
-                                                     struct PAC_DEVICE_INFO *info,
+static krb5_error_code samba_kdc_add_domain_group_sid(struct PAC_DEVICE_INFO *info,
                                                      const struct netr_SidAttr *sid)
 {
        uint32_t i;
@@ -1729,7 +1728,7 @@ static krb5_error_code samba_kdc_add_domain_group_sid(TALLOC_CTX *mem_ctx,
 
        if (domain_group == NULL) {
                info->domain_groups = talloc_realloc(
-                       mem_ctx,
+                       info,
                        info->domain_groups,
                        struct PAC_DOMAIN_GROUP_MEMBERSHIP,
                        info->domain_group_count + 1);
@@ -1821,7 +1820,7 @@ static krb5_error_code samba_kdc_make_device_info(TALLOC_CTX *mem_ctx,
                const struct netr_SidAttr *device_sid = &info3->sids[i];
 
                if (dom_sid_has_account_domain(device_sid->sid)) {
-                       ret = samba_kdc_add_domain_group_sid(mem_ctx, device_info, device_sid);
+                       ret = samba_kdc_add_domain_group_sid(device_info, device_sid);
                        if (ret != 0) {
                                goto out;
                        }
@@ -1895,7 +1894,7 @@ static krb5_error_code samba_kdc_update_device_info(TALLOC_CTX *mem_ctx,
                        .attributes = device_sid->attrs,
                };
 
-               krb5_error_code ret = samba_kdc_add_domain_group_sid(mem_ctx, device_info, &sid);
+               krb5_error_code ret = samba_kdc_add_domain_group_sid(device_info, &sid);
                if (ret != 0) {
                        return ret;
                }