From a359aef0837781c42bf9dbcdd069796c72cc94c7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Jan 2013 09:49:20 +0100
Subject: [PATCH] libcli/security: avoid usage of dom_sid_parse_talloc() in
 sec_access_check_ds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 libcli/security/access_check.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 83b7f9bd6cb..f0a7b665c75 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -389,7 +389,9 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
 	uint32_t bits_remaining;
 	struct object_tree *node;
 	const struct GUID *type;
-	struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF);
+	struct dom_sid self_sid;
+
+	dom_sid_parse(SID_NT_SELF, &self_sid);
 
 	*access_granted = access_desired;
 	bits_remaining = access_desired;
@@ -406,7 +408,6 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
 		if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
 			bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
 		} else {
-			talloc_free(ps_sid);
 			return NT_STATUS_PRIVILEGE_NOT_HELD;
 		}
 	}
@@ -430,7 +431,6 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
 	/* a NULL dacl allows access */
 	if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
 		*access_granted = access_desired;
-		talloc_free(ps_sid);
 		return NT_STATUS_OK;
 	}
 
@@ -447,7 +447,7 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
 			continue;
 		}
 
-		if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) {
+		if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) {
 			trustee = replace_sid;
 		} else {
 			trustee = &ace->trustee;
@@ -467,7 +467,6 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
 			break;
 		case SEC_ACE_TYPE_ACCESS_DENIED:
 			if (bits_remaining & ace->access_mask) {
-				talloc_free(ps_sid);
 				return NT_STATUS_ACCESS_DENIED;
 			}
 			break;
@@ -495,12 +494,10 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
 			if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
 				object_tree_modify_access(node, ace->access_mask);
 				if (node->remaining_access == 0) {
-					talloc_free(ps_sid);
 					return NT_STATUS_OK;
 				}
 			} else {
 				if (node->remaining_access & ace->access_mask){
-					talloc_free(ps_sid);
 					return NT_STATUS_ACCESS_DENIED;
 				}
 			}
@@ -511,7 +508,6 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
 	}
 
 done:
-	talloc_free(ps_sid);
 	if (bits_remaining != 0) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
-- 
2.11.4.GIT