r3391: fixed some memory leaks in the schannel code

(This used to be commit eb3366d3667ddddf7ab5eae5d1fbc5de86c41072)

5 files changed, 30 insertions, 51 deletions

diff --git a/source4/libcli/auth/schannel.c b/source4/libcli/auth/schannel.c
index a99822534b..2f20a3e906 100644
--- a/source4/libcli/auth/schannel.c
+++ b/source4/libcli/auth/schannel.c
@@ -23,7 +23,6 @@
 #include "includes.h"
 
 struct schannel_state {
-	TALLOC_CTX *mem_ctx;
 	uint8_t session_key[16];
 	uint32_t seq_num;
 	BOOL initiator;
@@ -219,7 +218,7 @@ NTSTATUS schannel_seal_packet(struct schannel_state *state,
 
 	netsec_deal_with_seq_num(state, digest_final, seq_num);
 
-	(*sig) = data_blob_talloc(state->mem_ctx, NULL, 32);
+	(*sig) = data_blob_talloc(mem_ctx, NULL, 32);
 
 	memcpy(sig->data, netsec_sig, 8);
 	memcpy(sig->data+8, seq_num, 8);
@@ -256,7 +255,7 @@ NTSTATUS schannel_sign_packet(struct schannel_state *state,
 
 	netsec_deal_with_seq_num(state, digest_final, seq_num);
 
-	(*sig) = data_blob_talloc(state->mem_ctx, NULL, 32);
+	(*sig) = data_blob_talloc(mem_ctx, NULL, 32);
 
 	memcpy(sig->data, netsec_sig, 8);
 	memcpy(sig->data+8, seq_num, 8);
@@ -277,7 +276,7 @@ NTSTATUS schannel_sign_packet(struct schannel_state *state,
 void schannel_end(struct schannel_state **state)
 {
 	if (*state) {
-		talloc_destroy((*state)->mem_ctx);
+		talloc_free(*state);
 		(*state) = NULL;
 	}
 }
@@ -289,20 +288,11 @@ NTSTATUS schannel_start(struct schannel_state **state,
 			const uint8_t session_key[16],
 			BOOL initiator)
 {
-	TALLOC_CTX *mem_ctx;
-
-	mem_ctx = talloc_init("schannel_state");
-	if (!mem_ctx) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	(*state) = talloc_p(mem_ctx, struct schannel_state);
+	(*state) = talloc_p(NULL, struct schannel_state);
 	if (!(*state)) {
-		talloc_destroy(mem_ctx);
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	(*state)->mem_ctx = mem_ctx;
 	memcpy((*state)->session_key, session_key, 16);
 	(*state)->initiator = initiator;
 	(*state)->seq_num = 0;
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 43f53d72b3..f53d77647a 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -28,7 +28,6 @@ enum schannel_position {
 };
 
 struct dcerpc_schannel_state {
-	TALLOC_CTX *mem_ctx;
 	enum schannel_position state;
 	struct schannel_state *schannel_state;
 	struct creds_CredentialState creds;
@@ -173,7 +172,7 @@ static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security,
 			return status;
 		}
 
-		dce_schan_state->account_name = talloc_strdup(dce_schan_state->mem_ctx, account_name);
+		dce_schan_state->account_name = talloc_strdup(dce_schan_state, account_name);
 		
 		/* start up the schannel server code */
 		status = schannel_start(&dce_schan_state->schannel_state, 
@@ -183,6 +182,7 @@ static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security,
 				  account_name, nt_errstr(status)));
 			return status;
 		}
+		talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
 		
 		bind_schannel_ack.unknown1 = 1;
 		bind_schannel_ack.unknown2 = 0;
@@ -260,22 +260,13 @@ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
 static NTSTATUS dcerpc_schannel_start(struct gensec_security *gensec_security)
 {
 	struct dcerpc_schannel_state *dce_schan_state;
-	TALLOC_CTX *mem_ctx;
-	mem_ctx = talloc_init("dcerpc_schannel_start");
-	if (!mem_ctx) {
-		return NT_STATUS_NO_MEMORY;
-	}
 
-	dce_schan_state = talloc_p(mem_ctx, struct dcerpc_schannel_state);
+	dce_schan_state = talloc_p(gensec_security, struct dcerpc_schannel_state);
 	if (!dce_schan_state) {
-		talloc_destroy(mem_ctx);
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	dce_schan_state->mem_ctx = mem_ctx;
 	dce_schan_state->state = DCERPC_SCHANNEL_STATE_START;
-	
-
 	gensec_security->private_data = dce_schan_state;
 	
 	return NT_STATUS_OK;
@@ -315,6 +306,7 @@ static NTSTATUS dcerpc_schannel_client_start(struct gensec_security *gensec_secu
 		DEBUG(1, ("Failed to start schannel client\n"));
 		return status;
 	}
+	talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
 
 	return NT_STATUS_OK;
 }
@@ -328,7 +320,7 @@ static void dcerpc_schannel_end(struct gensec_security *gensec_security)
 
 	schannel_end(&dce_schan_state->schannel_state);
 
-	talloc_destroy(dce_schan_state->mem_ctx);
+	talloc_free(dce_schan_state);
 
 	gensec_security->private_data = NULL;
 }
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index 960fe7aea8..4c2c107b22 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -1119,6 +1119,8 @@ NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, struct dcerpc_pipe *
 		return status;
 	}
 
+	talloc_steal(p, *p2);
+
 	(*p2)->flags = p->flags;
 
 	status = dcerpc_bind_auth_none(*p2, pipe_uuid, pipe_version);
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index c41fe19506..1336eb0552 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -97,11 +97,14 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 		goto failed;
 	}
 
+
 	torture_leave_domain(join_ctx);
+	dcerpc_pipe_close(p);
 	return True;
 
 failed:
 	torture_leave_domain(join_ctx);
+	dcerpc_pipe_close(p);
 	return False;	
 }
 
@@ -140,5 +143,7 @@ BOOL torture_rpc_schannel(void)
 		}
 	}
 
+	talloc_free(mem_ctx);
+
 	return ret;
 }
diff --git a/source4/torture/rpc/testjoin.c b/source4/torture/rpc/testjoin.c
index 9cae85b658..b81199d74d 100644
--- a/source4/torture/rpc/testjoin.c
+++ b/source4/torture/rpc/testjoin.c
@@ -28,7 +28,6 @@
 #include "includes.h"
 
 struct test_join {
-	TALLOC_CTX *mem_ctx;
 	struct dcerpc_pipe *p;
 	const char *machine_password;
 	struct policy_handle user_handle;
@@ -106,23 +105,14 @@ void *torture_join_domain(const char *machine_name,
 	struct samr_Name name;
 	int policy_min_pw_len = 0;
 	struct test_join *join;
-	TALLOC_CTX *mem_ctx;
 
-	mem_ctx = talloc_init("torture_join_domain");
-	if (!mem_ctx) {
-		return NULL;
-	}
-
-	join = talloc_p(mem_ctx, struct test_join);
+	join = talloc_p(NULL, struct test_join);
 	if (join == NULL) {
-		talloc_destroy(mem_ctx);
 		return NULL;
 	}
 
 	ZERO_STRUCTP(join);
 
-	join->mem_ctx = mem_ctx;
-
 	printf("Connecting to SAMR\n");
 
 	status = torture_rpc_connection(&join->p, 
@@ -137,11 +127,11 @@ void *torture_join_domain(const char *machine_name,
 	c.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
 	c.out.connect_handle = &handle;
 
-	status = dcerpc_samr_Connect(join->p, mem_ctx, &c);
+	status = dcerpc_samr_Connect(join->p, join, &c);
 	if (!NT_STATUS_IS_OK(status)) {
 		const char *errstr = nt_errstr(status);
 		if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
-			errstr = dcerpc_errstr(mem_ctx, join->p->last_fault_code);
+			errstr = dcerpc_errstr(join, join->p->last_fault_code);
 		}
 		printf("samr_Connect failed - %s\n", errstr);
 		goto failed;
@@ -153,7 +143,7 @@ void *torture_join_domain(const char *machine_name,
 	l.in.connect_handle = &handle;
 	l.in.domain = &name;
 
-	status = dcerpc_samr_LookupDomain(join->p, mem_ctx, &l);
+	status = dcerpc_samr_LookupDomain(join->p, join, &l);
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("LookupDomain failed - %s\n", nt_errstr(status));
 		goto failed;
@@ -164,7 +154,7 @@ void *torture_join_domain(const char *machine_name,
 	o.in.sid = l.out.sid;
 	o.out.domain_handle = &domain_handle;
 
-	status = dcerpc_samr_OpenDomain(join->p, mem_ctx, &o);
+	status = dcerpc_samr_OpenDomain(join->p, join, &o);
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("OpenDomain failed - %s\n", nt_errstr(status));
 		goto failed;
@@ -173,7 +163,7 @@ void *torture_join_domain(const char *machine_name,
 	printf("Creating machine account %s\n", machine_name);
 
 again:
-	name.name = talloc_asprintf(mem_ctx, "%s$", machine_name);
+	name.name = talloc_asprintf(join, "%s$", machine_name);
 	r.in.domain_handle = &domain_handle;
 	r.in.account_name = &name;
 	r.in.acct_flags = acct_flags;
@@ -182,10 +172,10 @@ again:
 	r.out.access_granted = &access_granted;
 	r.out.rid = &rid;
 
-	status = dcerpc_samr_CreateUser2(join->p, mem_ctx, &r);
+	status = dcerpc_samr_CreateUser2(join->p, join, &r);
 
 	if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
-		status = DeleteUser_byname(join->p, mem_ctx, &domain_handle, name.name);
+		status = DeleteUser_byname(join->p, join, &domain_handle, name.name);
 		if (NT_STATUS_IS_OK(status)) {
 			goto again;
 		}
@@ -198,12 +188,12 @@ again:
 
 	pwp.in.user_handle = &join->user_handle;
 
-	status = dcerpc_samr_GetUserPwInfo(join->p, mem_ctx, &pwp);
+	status = dcerpc_samr_GetUserPwInfo(join->p, join, &pwp);
 	if (NT_STATUS_IS_OK(status)) {
 		policy_min_pw_len = pwp.out.info.min_password_len;
 	}
 
-	join->machine_password = generate_random_str(mem_ctx, MAX(8, policy_min_pw_len));
+	join->machine_password = generate_random_str(join, MAX(8, policy_min_pw_len));
 
 	printf("Setting machine account password '%s'\n", join->machine_password);
 
@@ -224,7 +214,7 @@ again:
 
 	arcfour_crypt_blob(u.info24.password.data, 516, &session_key);
 
-	status = dcerpc_samr_SetUserInfo(join->p, mem_ctx, &s);
+	status = dcerpc_samr_SetUserInfo(join->p, join, &s);
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("SetUserInfo failed - %s\n", nt_errstr(status));
 		goto failed;
@@ -238,7 +228,7 @@ again:
 
 	printf("Resetting ACB flags\n");
 
-	status = dcerpc_samr_SetUserInfo(join->p, mem_ctx, &s);
+	status = dcerpc_samr_SetUserInfo(join->p, join, &s);
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("SetUserInfo failed - %s\n", nt_errstr(status));
 		goto failed;
@@ -267,7 +257,7 @@ void torture_leave_domain(void *join_ctx)
 		d.in.user_handle = &join->user_handle;
 		d.out.user_handle = &join->user_handle;
 		
-		status = dcerpc_samr_DeleteUser(join->p, join->mem_ctx, &d);
+		status = dcerpc_samr_DeleteUser(join->p, join, &d);
 		if (!NT_STATUS_IS_OK(status)) {
 			printf("Delete of machine account failed\n");
 		}
@@ -277,5 +267,5 @@ void torture_leave_domain(void *join_ctx)
 		torture_rpc_close(join->p);
 	}
 
-	talloc_destroy(join->mem_ctx);
+	talloc_free(join);
 }