diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-08-17 22:47:44 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-08-17 16:41:26 +0200 |
commit | 26bfe70def9905674c74bfe6f9d687b243af4891 (patch) | |
tree | 10ca84ae33e56851a8d4d2f2fc90812445c6ca49 /source4/dsdb | |
parent | 1b487ad3d7f709b0a100ccdc6fc30dcf7d0b778c (diff) | |
download | samba-26bfe70def9905674c74bfe6f9d687b243af4891.tar.gz samba-26bfe70def9905674c74bfe6f9d687b243af4891.tar.bz2 samba-26bfe70def9905674c74bfe6f9d687b243af4891.zip |
s4-kcc: Avoid use-after-free of dn and add tmp_ctx
By using a tmp_ctx we are clearer about allocating temporary memory.
Andrew Bartlett
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/kcc/kcc_periodic.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c index f96347f423..8f705d7aa1 100644 --- a/source4/dsdb/kcc/kcc_periodic.c +++ b/source4/dsdb/kcc/kcc_periodic.c @@ -70,10 +70,16 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r, struct repsFromTo1 *r1 = &r->ctr.ctr1; struct GUID invocation_id = r1->source_dsa_invocation_id; unsigned int i, j; + TALLOC_CTX *tmp_ctx; /* we are expecting only version 1 */ SMB_ASSERT(r->version == 1); + tmp_ctx = talloc_new(p); + if (!tmp_ctx) { + return false; + } + for (i=0; i<res->count; i++) { struct ldb_message *msg = res->msgs[i]; struct ldb_message_element *el; @@ -93,23 +99,24 @@ static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r, } } for (j=0; j<el->num_values; j++) { - dn = ldb_dn_from_ldb_val(p, p->service->samdb, &el->values[j]); + dn = ldb_dn_from_ldb_val(tmp_ctx, p->service->samdb, &el->values[j]); if (!ldb_dn_validate(dn)) { talloc_free(dn); continue; } if (ldb_dn_compare(dn, p->dn) == 0) { - talloc_free(dn); DEBUG(5,("%s %s match on %s in %s\n", r1->other_info->dns_name, el->name, ldb_dn_get_linearized(dn), ldb_dn_get_linearized(msg->dn))); + talloc_free(tmp_ctx); return true; } talloc_free(dn); } } + talloc_free(tmp_ctx); return false; } |