r14367: Not that I fully understand what's going on here, but the code as it was here

was clearly buggy as Coverity showed with bug id #36.

According to samba4 idl the sec_desc_buf is [in,out,ref], so we _have_ to ship
it in the request.

Volker
(This used to be commit 075e784491e6f2b491bd063db08ff1267f9cabbb)

1 files changed, 8 insertions, 4 deletions

diff --git a/source3/libmsrpc/cac_winreg.c b/source3/libmsrpc/cac_winreg.c
index 8c9f06a59b..4f6ae40808 100644
--- a/source3/libmsrpc/cac_winreg.c
+++ b/source3/libmsrpc/cac_winreg.c
@@ -823,7 +823,7 @@ int cac_RegGetKeySecurity(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct RegG
    WERROR err;
 
    uint32 buf_size;
-   SEC_DESC_BUF *buf = NULL;
+   SEC_DESC_BUF buf;
 
    if(!hnd) 
       return CAC_FAILURE;
@@ -844,7 +844,7 @@ int cac_RegGetKeySecurity(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct RegG
       return CAC_FAILURE;
    }
 
-   err = rpccli_reg_get_key_sec(pipe_hnd, mem_ctx, op->in.key, op->in.info_type, &buf_size, buf);
+   err = rpccli_reg_get_key_sec(pipe_hnd, mem_ctx, op->in.key, op->in.info_type, &buf_size, &buf);
    hnd->status = werror_to_ntstatus(err);
 
 
@@ -852,8 +852,12 @@ int cac_RegGetKeySecurity(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct RegG
       return CAC_FAILURE;
    }
 
-   op->out.size = buf->len;
-   op->out.descriptor = buf->sec;
+   op->out.size = buf.len;
+   op->out.descriptor = dup_sec_desc(mem_ctx, buf.sec);
+
+   if (op->out.descriptor == NULL) {
+	   return CAC_FAILURE;
+   }
 
    return CAC_SUCCESS;
 }