From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 17 Aug 2012 12:47:44 +0000 (+1000)
Subject: s4-kcc: Avoid use-after-free of dn and add tmp_ctx
X-Git-Tag: samba-4.0.0beta7~148
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=26bfe70def9905674c74bfe6f9d687b243af4891;p=thirdparty%2Fsamba.git

s4-kcc: Avoid use-after-free of dn and add tmp_ctx

By using a tmp_ctx we are clearer about allocating temporary memory.

Andrew Bartlett
---

diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index f96347f423e..8f705d7aa13 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -70,10 +70,16 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r,
 	struct repsFromTo1 *r1 = &r->ctr.ctr1;
 	struct GUID invocation_id = r1->source_dsa_invocation_id;
 	unsigned int i, j;
+	TALLOC_CTX *tmp_ctx;
 
 	/* we are expecting only version 1 */
 	SMB_ASSERT(r->version == 1);
 
+	tmp_ctx = talloc_new(p);
+	if (!tmp_ctx) {
+		return false;
+	}
+
 	for (i=0; i<res->count; i++) {
 		struct ldb_message *msg = res->msgs[i];
 		struct ldb_message_element *el;
@@ -93,23 +99,24 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r,
 			}
 		}
 		for (j=0; j<el->num_values; j++) {
-			dn = ldb_dn_from_ldb_val(p, p->service->samdb, &el->values[j]);
+			dn = ldb_dn_from_ldb_val(tmp_ctx, p->service->samdb, &el->values[j]);
 			if (!ldb_dn_validate(dn)) {
 				talloc_free(dn);
 				continue;
 			}
 			if (ldb_dn_compare(dn, p->dn) == 0) {
-				talloc_free(dn);
 				DEBUG(5,("%s %s match on %s in %s\n",
 					 r1->other_info->dns_name,
 					 el->name,
 					 ldb_dn_get_linearized(dn),
 					 ldb_dn_get_linearized(msg->dn)));
+				talloc_free(tmp_ctx);
 				return true;
 			}
 			talloc_free(dn);
 		}
 	}
+	talloc_free(tmp_ctx);
 	return false;
 }