s4:ldb_map Fix use-after-free of memory in ldb_map

We need to keep the old 'ares' from the remote server around so we can forward
it back to the caller.  We can't send the same controls (from the last search
entry) twice (and it makes no sense anyway).

Andrew Bartlett

2 files changed, 8 insertions, 4 deletions

diff --git a/source4/lib/ldb/ldb_map/ldb_map_outbound.c b/source4/lib/ldb/ldb_map/ldb_map_outbound.c
index 6a8e796ca4..45caffeeae 100644
--- a/source4/lib/ldb/ldb_map/ldb_map_outbound.c
+++ b/source4/lib/ldb/ldb_map/ldb_map_outbound.c
@@ -1261,7 +1261,7 @@ static int map_remote_search_callback(struct ldb_request *req,
 			return ret;
 		}
 
-		talloc_free(ares);
+		ac->remote_done_ares = talloc_steal(ac, ares);
 
 		ret = map_search_local(ac);
 		if (ret != LDB_SUCCESS) {
@@ -1333,6 +1333,7 @@ int map_local_merge_callback(struct ldb_request *req, struct ldb_reply *ares)
 		break;
 
 	case LDB_REPLY_DONE:
+		/* We don't need the local 'ares', but we will use the remote one from below */
 		talloc_free(ares);
 
 		/* No local record found, map and send remote record */
@@ -1371,9 +1372,9 @@ int map_local_merge_callback(struct ldb_request *req, struct ldb_reply *ares)
 		/* ok we are done with all search, finally it is time to
 		 * finish operations for this module */
 		return ldb_module_done(ac->req,
-					ac->r_current->remote->controls,
-					ac->r_current->remote->response,
-					ac->r_current->remote->error);
+					ac->remote_done_ares->controls,
+					ac->remote_done_ares->response,
+					ac->remote_done_ares->error);
 	}
 
 	return LDB_SUCCESS;
diff --git a/source4/lib/ldb/ldb_map/ldb_map_private.h b/source4/lib/ldb/ldb_map/ldb_map_private.h
index 612d215ae9..1ea9e5871f 100644
--- a/source4/lib/ldb/ldb_map/ldb_map_private.h
+++ b/source4/lib/ldb/ldb_map/ldb_map_private.h
@@ -37,6 +37,9 @@ struct map_context {
 
 	struct map_reply *r_list;
 	struct map_reply *r_current;
+
+	/* The response continaing any controls the remote server gave */
+	struct ldb_reply *remote_done_ares;
 };
 
 /* Common operations