From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 3 May 2018 04:22:19 +0000 (+1200)
Subject: s4-lsa: Fix use-after-free in LSA server
X-Git-Tag: ldb-1.4.0~459
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e091e505156381e385235ab4518b4d133a98497;p=thirdparty%2Fsamba.git

s4-lsa: Fix use-after-free in LSA server

This is a regression introduced in ab7988aa2fd1a43f576a4b73a6893c61c7ef1957.

The state variable contains the data to be returned to the client
and packed into NDR after the function returned.

This memory needs to be kept (on mem_ctx as parent) until that is
pushed and freed by the caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13420

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index becbcfc8b64..f7d367e9525 100644
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -805,7 +805,6 @@ NTSTATUS dcesrv_lsa_LookupSids(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
 
 	state->r.out.result = status;
 	dcesrv_lsa_LookupSids_base_map(state);
-	TALLOC_FREE(state);
 	return status;
 }
 
@@ -1284,7 +1283,6 @@ NTSTATUS dcesrv_lsa_LookupNames3(struct dcesrv_call_state *dce_call,
 
 	state->r.out.result = status;
 	dcesrv_lsa_LookupNames_base_map(state);
-	TALLOC_FREE(state);
 	return status;
 }
 
@@ -1357,7 +1355,6 @@ NTSTATUS dcesrv_lsa_LookupNames4(struct dcesrv_call_state *dce_call, TALLOC_CTX
 
 	state->r.out.result = status;
 	dcesrv_lsa_LookupNames_base_map(state);
-	TALLOC_FREE(state);
 	return status;
 }