CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index b4bd9d8f9c9a11e9b943185027c3ad129ffaf7e9..7336778ec533c9492b146b4aeb29bc0b8404cae8 100644 (file)
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -99,10 +99,12 @@ static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, stru
 
        service_dn = ldb_dn_new(tmp_ctx, ldb_ctx, "CN=Directory Service,CN=Windows NT,CN=Services");
        if ( ! ldb_dn_add_base(service_dn, ldb_get_config_basedn(ldb_ctx))) {
+               talloc_free(tmp_ctx);
                return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
        }
        service_dn_str = ldb_dn_alloc_linearized(tmp_ctx, service_dn);
        if ( ! service_dn_str) {
+               talloc_free(tmp_ctx);
                return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
        }
 
@@ -111,13 +113,15 @@ static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, stru
 
        if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
                DEBUG(1, ("ldb_search: dn: %s not found: %s\n", service_dn_str, ldb_errstring(ldb_ctx)));
+               talloc_free(tmp_ctx);
                return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
        } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
                DEBUG(1, ("ldb_search: dn: %s not found\n", service_dn_str));
+               talloc_free(tmp_ctx);
                return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
        } else if (res->count != 1) {
-               talloc_free(res);
                DEBUG(1, ("ldb_search: dn: %s not found\n", service_dn_str));
+               talloc_free(tmp_ctx);
                return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
        }