CVE-2020-14383: s4/dns: Ensure variable initialization with NULL.

Based on patches from Francis Brosnan Blázquez <francis@aspl.es>
and Jeremy Allison <jra@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e)

diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
index b6389f2328a6169f13c0eb09916c7b05e1c8c15d..ec6101682663258ce33fc02efb680a29712fb927 100644 (file)
--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
@@ -1759,15 +1759,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
        TALLOC_CTX *tmp_ctx;
        char *name;
        const char * const attrs[] = { "name", "dnsRecord", NULL };
-       struct ldb_result *res;
-       struct DNS_RPC_RECORDS_ARRAY *recs;
+       struct ldb_result *res = NULL;
+       struct DNS_RPC_RECORDS_ARRAY *recs = NULL;
        char **add_names = NULL;
-       char *rname;
+       char *rname = NULL;
        const char *preference_name = NULL;
        int add_count = 0;
        int i, ret, len;
        WERROR status;
-       struct dns_tree *tree, *base, *node;
+       struct dns_tree *tree = NULL;
+       struct dns_tree *base = NULL;
+       struct dns_tree *node = NULL;
 
        tmp_ctx = talloc_new(mem_ctx);
        W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
@@ -1850,9 +1852,9 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
                }
        }
 
-       talloc_free(res);
-       talloc_free(tree);
-       talloc_free(name);
+       TALLOC_FREE(res);
+       TALLOC_FREE(tree);
+       TALLOC_FREE(name);
 
        /* Add any additional records */
        if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
@@ -1870,14 +1872,14 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
                                                LDB_SCOPE_ONELEVEL, attrs,
                                                "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))",
                                                encoded_name);
-                               talloc_free(name);
+                               TALLOC_FREE(name);
                                if (ret != LDB_SUCCESS) {
                                        continue;
                                }
                                if (res->count == 1) {
                                        break;
                                } else {
-                                       talloc_free(res);
+                                       TALLOC_FREE(res);
                                        continue;
                                }
                        }
@@ -1892,8 +1894,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
                                                        select_flag, rname,
                                                        res->msgs[0], 0, recs,
                                                        NULL, NULL);
-                       talloc_free(rname);
-                       talloc_free(res);
+                       TALLOC_FREE(rname);
+                       TALLOC_FREE(res);
                        if (!W_ERROR_IS_OK(status)) {
                                talloc_free(tmp_ctx);
                                return status;