s4/dsdb: try not to leak on access check failure

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c
index e1bc3d77d21e23cee6e44fb7a8034990d86ba9fa..6edae35837664d9a525d87aa99aecc52f6127d6e 100644 (file)
--- a/source4/dsdb/common/dsdb_access.c
+++ b/source4/dsdb/common/dsdb_access.c
@@ -76,6 +76,7 @@ int dsdb_get_sd_from_ldb_message(struct ldb_context *ldb,
                                       (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
 
        if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+               TALLOC_FREE(*sd);
                return ldb_operr(ldb);
        }
 
@@ -106,6 +107,8 @@ int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
        if (guid) {
                if (!insert_in_object_tree(mem_ctx, guid, access_mask, NULL,
                                           &root)) {
+                       TALLOC_FREE(sd);
+                       TALLOC_FREE(sid);
                        return ldb_operr(ldb);
                }
        }
@@ -123,6 +126,8 @@ int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
                ldb_asprintf_errstring(ldb,
                                       "dsdb_access: Access check failed on %s",
                                       ldb_dn_get_linearized(dn));
+               TALLOC_FREE(sd);
+               TALLOC_FREE(sid);
                return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
        }
        return LDB_SUCCESS;