From: Robin Hack <hack.robin@gmail.com>
Date: Wed, 27 Apr 2016 13:10:45 +0000 (+0200)
Subject: winbindd/idmap_rfc2307: Fix CID 1273424 - Read from pointer after free
X-Git-Tag: talloc-2.1.7~66
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b61658e721c922089bde4543ec8c445de6eb903c;p=thirdparty%2Fsamba.git

winbindd/idmap_rfc2307: Fix CID 1273424 - Read from pointer after free

idmap_rfc2307_ads_search() calls ads_do_search_retry_internal() which
can deallocate ads param based on ads->is_mine boolean.

This approach is fragile so caller must properly check
return code before any pointer dereference.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
---

diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
index 3ef10f6b217..1b5aad9605d 100644
--- a/source3/winbindd/idmap_rfc2307.c
+++ b/source3/winbindd/idmap_rfc2307.c
@@ -99,6 +99,11 @@ static NTSTATUS idmap_rfc2307_ads_search(struct idmap_rfc2307_context *ctx,
 
 	status = ads_do_search_retry(ctx->ads, bind_path,
 				     LDAP_SCOPE_SUBTREE, expr, attrs, result);
+
+	if (!ADS_ERR_OK(status)) {
+		return ads_ntstatus(status);
+	}
+
 	ctx->ldap = ctx->ads->ldap.ld;
 	return ads_ntstatus(status);
 }