From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 11 Aug 2021 04:56:07 +0000 (+1200)
Subject: CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
X-Git-Tag: ldb-2.5.0~225
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c7e3617cc368bc8c36b4b353e827712b08370e16;p=thirdparty%2Fsamba.git

CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index f298ef3df6f..0aefaa1e58e 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -101,10 +101,12 @@ static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, stru
 
 	service_dn = ldb_dn_new(tmp_ctx, ldb_ctx, "CN=Directory Service,CN=Windows NT,CN=Services");
 	if ( ! ldb_dn_add_base(service_dn, ldb_get_config_basedn(ldb_ctx))) {
+		talloc_free(tmp_ctx);
 		return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 	}
 	service_dn_str = ldb_dn_alloc_linearized(tmp_ctx, service_dn);
 	if ( ! service_dn_str) {
+		talloc_free(tmp_ctx);
 		return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 	}
 
@@ -113,13 +115,15 @@ static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, stru
 
 	if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
 		DEBUG(1, ("ldb_search: dn: %s not found: %s\n", service_dn_str, ldb_errstring(ldb_ctx)));
+		talloc_free(tmp_ctx);
 		return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 	} else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
 		DEBUG(1, ("ldb_search: dn: %s not found\n", service_dn_str));
+		talloc_free(tmp_ctx);
 		return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 	} else if (res->count != 1) {
-		talloc_free(res);
 		DEBUG(1, ("ldb_search: dn: %s not found\n", service_dn_str));
+		talloc_free(tmp_ctx);
 		return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 	}