From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 21 Sep 2021 10:27:28 +0000 (+0200)
Subject: CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
X-Git-Tag: samba-4.13.14~142
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f73360e17d1e519d25cb4b60d7506fca9fd02fe;p=thirdparty%2Fsamba.git

CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 1d22a48c57c..e6efdfcec5c 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -817,23 +817,27 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
 	if (!p) {
 		DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
 			  princ_name));
-		return NT_STATUS_LOGON_FAILURE;
+		status = NT_STATUS_LOGON_FAILURE;
+		goto done;
 	}
 
 	user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
 	if (!user) {
-		return NT_STATUS_NO_MEMORY;
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
 	}
 
 	realm = talloc_strdup(talloc_tos(), p + 1);
 	if (!realm) {
-		return NT_STATUS_NO_MEMORY;
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
 	}
 
 	if (!strequal(realm, lp_realm())) {
 		DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
 		if (!lp_allow_trusted_domains()) {
-			return NT_STATUS_LOGON_FAILURE;
+			status = NT_STATUS_LOGON_FAILURE;
+			goto done;
 		}
 	}
 
@@ -841,7 +845,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
 		domain = talloc_strdup(mem_ctx,
 					logon_info->info3.base.logon_domain.string);
 		if (!domain) {
-			return NT_STATUS_NO_MEMORY;
+			status = NT_STATUS_NO_MEMORY;
+			goto done;
 		}
 		DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
 	} else {
@@ -871,7 +876,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
 			domain = talloc_strdup(mem_ctx, realm);
 		}
 		if (!domain) {
-			return NT_STATUS_NO_MEMORY;
+			status = NT_STATUS_NO_MEMORY;
+			goto done;
 		}
 		DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
 	}