summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-08-17 22:47:44 +1000
committerAndrew Bartlett <abartlet@samba.org>2012-08-17 16:41:26 +0200
commit26bfe70def9905674c74bfe6f9d687b243af4891 (patch)
tree10ca84ae33e56851a8d4d2f2fc90812445c6ca49 /source4/dsdb
parent1b487ad3d7f709b0a100ccdc6fc30dcf7d0b778c (diff)
downloadsamba-26bfe70def9905674c74bfe6f9d687b243af4891.tar.gz
samba-26bfe70def9905674c74bfe6f9d687b243af4891.tar.bz2
samba-26bfe70def9905674c74bfe6f9d687b243af4891.zip
s4-kcc: Avoid use-after-free of dn and add tmp_ctx
By using a tmp_ctx we are clearer about allocating temporary memory. Andrew Bartlett
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/kcc/kcc_periodic.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index f96347f423..8f705d7aa1 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -70,10 +70,16 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r,
struct repsFromTo1 *r1 = &r->ctr.ctr1;
struct GUID invocation_id = r1->source_dsa_invocation_id;
unsigned int i, j;
+ TALLOC_CTX *tmp_ctx;
/* we are expecting only version 1 */
SMB_ASSERT(r->version == 1);
+ tmp_ctx = talloc_new(p);
+ if (!tmp_ctx) {
+ return false;
+ }
+
for (i=0; i<res->count; i++) {
struct ldb_message *msg = res->msgs[i];
struct ldb_message_element *el;
@@ -93,23 +99,24 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r,
}
}
for (j=0; j<el->num_values; j++) {
- dn = ldb_dn_from_ldb_val(p, p->service->samdb, &el->values[j]);
+ dn = ldb_dn_from_ldb_val(tmp_ctx, p->service->samdb, &el->values[j]);
if (!ldb_dn_validate(dn)) {
talloc_free(dn);
continue;
}
if (ldb_dn_compare(dn, p->dn) == 0) {
- talloc_free(dn);
DEBUG(5,("%s %s match on %s in %s\n",
r1->other_info->dns_name,
el->name,
ldb_dn_get_linearized(dn),
ldb_dn_get_linearized(msg->dn)));
+ talloc_free(tmp_ctx);
return true;
}
talloc_free(dn);
}
}
+ talloc_free(tmp_ctx);
return false;
}