From 26bfe70def9905674c74bfe6f9d687b243af4891 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 17 Aug 2012 22:47:44 +1000 Subject: [PATCH] s4-kcc: Avoid use-after-free of dn and add tmp_ctx By using a tmp_ctx we are clearer about allocating temporary memory. Andrew Bartlett --- source4/dsdb/kcc/kcc_periodic.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c index f96347f423e..8f705d7aa13 100644 --- a/source4/dsdb/kcc/kcc_periodic.c +++ b/source4/dsdb/kcc/kcc_periodic.c @@ -70,10 +70,16 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r, struct repsFromTo1 *r1 = &r->ctr.ctr1; struct GUID invocation_id = r1->source_dsa_invocation_id; unsigned int i, j; + TALLOC_CTX *tmp_ctx; /* we are expecting only version 1 */ SMB_ASSERT(r->version == 1); + tmp_ctx = talloc_new(p); + if (!tmp_ctx) { + return false; + } + for (i=0; icount; i++) { struct ldb_message *msg = res->msgs[i]; struct ldb_message_element *el; @@ -93,23 +99,24 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r, } } for (j=0; jnum_values; j++) { - dn = ldb_dn_from_ldb_val(p, p->service->samdb, &el->values[j]); + dn = ldb_dn_from_ldb_val(tmp_ctx, p->service->samdb, &el->values[j]); if (!ldb_dn_validate(dn)) { talloc_free(dn); continue; } if (ldb_dn_compare(dn, p->dn) == 0) { - talloc_free(dn); DEBUG(5,("%s %s match on %s in %s\n", r1->other_info->dns_name, el->name, ldb_dn_get_linearized(dn), ldb_dn_get_linearized(msg->dn))); + talloc_free(tmp_ctx); return true; } talloc_free(dn); } } + talloc_free(tmp_ctx); return false; } -- 2.11.4.GIT