s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid leaking memory onto part->dn

The confusing use of do_dn as a memory context while legitimate
created a bug when it was copied and modified to search on a DN from
long-term state.

By always using a temporary memory context it is clear what paramter
is the memory context.

This was found based on a log provided by Ricky Nance
<ricky.nance@weaubleau.k12.mo.us>.  Thanks Ricky!

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Aug 17 18:24:10 CEST 2012 on sn-devel-104

diff --git a/source4/dsdb/kcc/kcc_deleted.c b/source4/dsdb/kcc/kcc_deleted.c
index 0e1a42826c33200075cb1cd902d06e72cf2332f9..63bb97c08dcc4a5f20f8681a87a2bbc8d3bd4203 100644 (file)
--- a/source4/dsdb/kcc/kcc_deleted.c
+++ b/source4/dsdb/kcc/kcc_deleted.c
@@ -83,30 +83,35 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
                struct ldb_result *res;
                const char *attrs[] = { "whenChanged", NULL };
                unsigned int i;
+               TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+               if (!tmp_ctx) {
+                       return NT_STATUS_NO_MEMORY;
+               }
 
-               ret = dsdb_get_deleted_objects_dn(s->samdb, mem_ctx, part->dn, &do_dn);
+               ret = dsdb_get_deleted_objects_dn(s->samdb, tmp_ctx, part->dn, &do_dn);
                if (ret != LDB_SUCCESS) {
+                       TALLOC_FREE(tmp_ctx);
                        /* some partitions have no Deleted Objects
                           container */
                        continue;
                }
 
                if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(s->samdb), part->dn)) {
-                       ret = dsdb_search(s->samdb, do_dn, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
+                       ret = dsdb_search(s->samdb, tmp_ctx, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
                                        DSDB_SEARCH_SHOW_RECYCLED, NULL);
                } else {
                        if (do_fs) {
                                DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n",
                                                ldb_dn_get_linearized(part->dn)));
                        }
-                       ret = dsdb_search(s->samdb, part->dn, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
+                       ret = dsdb_search(s->samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
                                        DSDB_SEARCH_SHOW_RECYCLED, "(isDeleted=TRUE)");
                }
 
                if (ret != LDB_SUCCESS) {
                        DEBUG(1,(__location__ ": Failed to search for deleted objects in %s\n",
-                                ldb_dn_get_linearized(do_dn)));
-                       talloc_free(do_dn);
+                                ldb_dn_get_linearized(do_dn)));        
+                       TALLOC_FREE(tmp_ctx);
                        continue;
                }
 
@@ -134,7 +139,7 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
                        }
                }
 
-               talloc_free(do_dn);
+               TALLOC_FREE(tmp_ctx);
        }
 
        return NT_STATUS_OK;