From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 Oct 2025 09:08:30 +0000 (+0200)
Subject: s3:passdb: Fix memory leak in pdb_default_del_groupmem()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6fb379ef8b3a89e007252a7a9fcc9e98941a9922;p=thirdparty%2Fsamba.git

s3:passdb: Fix memory leak in pdb_default_del_groupmem()

Indirect leak of 496 byte(s) in 1 object(s) allocated from:
    #0 0x7f1e45121c2b in malloc (/lib64/libasan.so.8+0x121c2b) (BuildId: 388ee9ac193f74c177c6f52988d2d0dab110de41)
    #1 0x7f1e44b586a0 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7f1e44b59f75 in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7f1e44b59f75 in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7f1e44b59f75 in _talloc_zero ../../lib/talloc/talloc.c:2421
    #5 0x7f1e42a18460 in samu_new ../../source3/passdb/passdb.c:63
    #6 0x7f1e42a381ef in pdb_default_del_groupmem ../../source3/passdb/pdb_interface.c:1098
    #7 0x7f1e42a364b1 in pdb_del_groupmem ../../source3/passdb/pdb_interface.c:1130
    #8 0x000000388a57 in net_sam_delmem ../../source3/utils/net_sam.c:1324
    #9 0x00000038ff79 in net_run_function ../../source3/utils/net_util.c:451
    #10 0x00000038bfb6 in net_sam ../../source3/utils/net_sam.c:2306
    #11 0x00000038ff79 in net_run_function ../../source3/utils/net_util.c:451
    #12 0x0000002ea182 in main ../../source3/utils/net.c:1474
    #13 0x7f1e3fc2b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa) (BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
    #14 0x7ffe6b22b79f  ([stack]+0x2079f)

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>

Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Oct 22 15:21:22 UTC 2025 on atb-devel-224
---

diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index af42918fd1f..8678d5d42f3 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -1073,6 +1073,7 @@ static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
 	struct passwd *pwd;
 	const char *group_name;
 	uid_t uid;
+	bool in_group;
 
 	map = talloc_zero(mem_ctx, GROUP_MAP);
 	if (!map) {
@@ -1095,17 +1096,21 @@ static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	if ( !(account = samu_new( NULL )) ) {
+	account = samu_new(mem_ctx);
+	if (account == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	if (!pdb_getsampwsid(account, &member_sid) ||
 	    !sid_to_uid(&member_sid, &uid) ||
 	    ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
+		TALLOC_FREE(account);
 		return NT_STATUS_NO_SUCH_USER;
 	}
 
-	if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
+	in_group = pdb_user_in_group(mem_ctx, account, &group_sid);
+	if (!in_group) {
+		TALLOC_FREE(account);
 		return NT_STATUS_MEMBER_NOT_IN_GROUP;
 	}
 
@@ -1116,7 +1121,9 @@ static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
 
 	smb_delete_user_group(group_name, pwd->pw_name);
 
-	if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
+	in_group = pdb_user_in_group(mem_ctx, account, &group_sid);
+	TALLOC_FREE(account);
+	if (in_group) {
 		return NT_STATUS_ACCESS_DENIED;
 	}