s4 dsdb: fix use after free in samldb_rename_search_base_callback

Fix use after free detected by AddressSanitizer

AddressSanitizer: heap-use-after-free on address 0x60f0002b2738
                  at pc 0x7f89b1a213b5 bp 0x7ffce9528810 sp 0x7ffce9528800
                  READ of size 8 at 0x60f0002b2738 thread T0
    #0 0x7f89b1a213b4 in samldb_rename_search_base_callback
        ../../source4/dsdb/samdb/ldb_modules/samldb.c:4203
    #1 0x7f89d3a0db4a in ldb_module_send_entry
        ../../lib/ldb/common/ldb_modules.c:793
    #2 0x7f89b6f27356 in es_callback
        ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13942

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b0cc6d217485c317b2138347216fac5d74684328)

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 02eb2fa90494b865e07e476fab40991d089f3b96..2e63f256cd2988395e9bb20c314af7d5f8cc5fcb 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -4063,7 +4063,6 @@ static int check_rename_constraints(struct ldb_message *msg,
        if (samdb_find_attribute(ldb, msg, "objectclass", "subnet") != NULL) {
                ret = samldb_verify_subnet(ac, newdn);
                if (ret != LDB_SUCCESS) {
-                       talloc_free(ac);
                        return ret;
                }
        }