From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 14 Jun 2016 22:36:16 +0000 (+1200)
Subject: dsdb: Fix use-after-free of parent_dn in operational module
X-Git-Tag: tdb-1.3.10~703
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ea86f5eb0ceeb8ee18918ff956c060827608f5f6;p=thirdparty%2Fsamba.git

dsdb: Fix use-after-free of parent_dn in operational module

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
---

diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 4205c4b716b..08a8454eca6 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -357,17 +357,19 @@ static int construct_parent_guid(struct ldb_module *module,
 	ret = dsdb_module_search_dn(module, msg, &parent_res, parent_dn, attrs2,
 	                            DSDB_FLAG_NEXT_MODULE |
 	                            DSDB_SEARCH_SHOW_RECYCLED, parent);
-	talloc_free(parent_dn);
-
 	/* not NC, so the object should have a parent*/
 	if (ret == LDB_ERR_NO_SUCH_OBJECT) {
-		return ldb_error(ldb_module_get_ctx(module), LDB_ERR_OPERATIONS_ERROR, 
+		ret = ldb_error(ldb_module_get_ctx(module), LDB_ERR_OPERATIONS_ERROR, 
 				 talloc_asprintf(msg, "Parent dn %s for %s does not exist",
 						 ldb_dn_get_linearized(parent_dn),
 						 ldb_dn_get_linearized(msg->dn)));
+		talloc_free(parent_dn);
+		return ret;
 	} else if (ret != LDB_SUCCESS) {
+		talloc_free(parent_dn);
 		return ret;
 	}
+	talloc_free(parent_dn);
 
 	parent_guid = ldb_msg_find_ldb_val(parent_res->msgs[0], "objectGUID");
 	if (!parent_guid) {