From 0aa73958f0679f8b7389295c4601903f3f8f3a53 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 7 Nov 2013 15:55:29 +0100 Subject: [PATCH] s4-lsa: Fix a user after free in dcesrv_lsa_lookup_name(). Pair-Programmed-With: Volker Lendecke Signed-off-by: Andreas Schneider Reviewed-by: Volker Lendecke --- source4/rpc_server/lsa/lsa_lookup.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c index 07d5c2ff862..40842f02bd0 100644 --- a/source4/rpc_server/lsa/lsa_lookup.c +++ b/source4/rpc_server/lsa/lsa_lookup.c @@ -305,19 +305,25 @@ static NTSTATUS dcesrv_lsa_lookup_name(struct tevent_context *ev_ctx, } if (strcasecmp_m(username, state->domain_dns) == 0) { *authority_name = state->domain_name; - *sid = state->domain_sid; + *sid = dom_sid_dup(mem_ctx, state->domain_sid); + if (*sid == NULL) { + return NT_STATUS_NO_MEMORY; + } *rtype = SID_NAME_DOMAIN; *rid = 0xFFFFFFFF; return NT_STATUS_OK; } if (strcasecmp_m(username, state->domain_name) == 0) { *authority_name = state->domain_name; - *sid = state->domain_sid; + *sid = dom_sid_dup(mem_ctx, state->domain_sid); + if (*sid == NULL) { + return NT_STATUS_NO_MEMORY; + } *rtype = SID_NAME_DOMAIN; *rid = 0xFFFFFFFF; return NT_STATUS_OK; } - + /* Perhaps this is a well known user? */ name = talloc_asprintf(mem_ctx, "%s\\%s", NAME_NT_AUTHORITY, username); if (!name) { -- 2.11.4.GIT