4 files changed, 101 insertions, 21 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 497f16adf2..eb15fff7c8 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -591,33 +591,36 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro
 	    (strlen(lp_log_nt_token_command()) > 0)) {
 		TALLOC_CTX *mem_ctx;
 		char *command;
-		fstring sidstr;
-		char *user_sidstr, *group_sidstr;
+		char *group_sidstr;
 
 		mem_ctx = talloc_init("setnttoken");
 		if (mem_ctx == NULL)
 			return NT_STATUS_NO_MEMORY;
 
-		sid_to_string(sidstr, &ptoken->user_sids[0]);
-		user_sidstr = talloc_strdup(mem_ctx, sidstr);
-
 		group_sidstr = talloc_strdup(mem_ctx, "");
 		for (i=1; i<ptoken->num_sids; i++) {
-			sid_to_string(sidstr, &ptoken->user_sids[i]);
-			group_sidstr = talloc_asprintf(mem_ctx, "%s %s",
-						       group_sidstr, sidstr);
+			group_sidstr = talloc_asprintf(
+				mem_ctx, "%s %s", group_sidstr,
+				sid_string_static(&ptoken->user_sids[i]));
+		}
+
+		command = talloc_string_sub(
+			mem_ctx, lp_log_nt_token_command(),
+			"%s", sid_string_static(&ptoken->user_sids[0]));
+		command = talloc_string_sub(
+			mem_ctx, command, "%t", group_sidstr);
+
+		if (command == NULL) {
+			talloc_destroy(mem_ctx);
+			return NT_STATUS_NO_MEMORY;
 		}
 
-		command = SMB_STRDUP(lp_log_nt_token_command());
-		command = realloc_string_sub(command, "%s", user_sidstr);
-		command = realloc_string_sub(command, "%t", group_sidstr);
 		DEBUG(8, ("running command: [%s]\n", command));
 		if (smbrun(command, NULL) != 0) {
 			DEBUG(0, ("Could not log NT token\n"));
 			nt_status = NT_STATUS_ACCESS_DENIED;
 		}
 		talloc_destroy(mem_ctx);
-		SAFE_FREE(command);
 	}
 
 	*token = ptoken;
diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c
index 9b14dcfaf0..80bb2ff2ad 100644
--- a/source3/lib/util_str.c
+++ b/source3/lib/util_str.c
@@ -1003,7 +1003,8 @@ void pstring_sub(char *s,const char *pattern,const char *insert)
  as string.
 **/
 
-char *realloc_string_sub(char *string, const char *pattern, const char *insert)
+char *realloc_string_sub(char *string, const char *pattern,
+			 const char *insert)
 {
 	char *p, *in;
 	char *s;
@@ -1063,6 +1064,77 @@ char *realloc_string_sub(char *string, const char *pattern, const char *insert)
 	return string;
 }
 
+/* Same as string_sub, but returns a talloc'ed string */
+
+char *talloc_string_sub(TALLOC_CTX *mem_ctx, const char *src,
+			const char *pattern, const char *insert)
+{
+	char *p, *in;
+	char *s;
+	char *string;
+	ssize_t ls,lp,li,ld, i;
+
+	if (!insert || !pattern || !*pattern || !src || !*src)
+		return NULL;
+
+	string = talloc_strdup(mem_ctx, src);
+	if (string == NULL) {
+		DEBUG(0, ("talloc_strdup failed\n"));
+		return NULL;
+	}
+
+	s = string;
+
+	in = SMB_STRDUP(insert);
+	if (!in) {
+		DEBUG(0, ("talloc_string_sub: out of memory!\n"));
+		return NULL;
+	}
+	ls = (ssize_t)strlen(s);
+	lp = (ssize_t)strlen(pattern);
+	li = (ssize_t)strlen(insert);
+	ld = li - lp;
+	for (i=0;i<li;i++) {
+		switch (in[i]) {
+			case '`':
+			case '"':
+			case '\'':
+			case ';':
+			case '$':
+			case '%':
+			case '\r':
+			case '\n':
+				in[i] = '_';
+			default:
+				/* ok */
+				break;
+		}
+	}
+	
+	while ((p = strstr_m(s,pattern))) {
+		if (ld > 0) {
+			int offset = PTR_DIFF(s,string);
+			char *t = TALLOC_REALLOC(mem_ctx, string, ls + ld + 1);
+			if (!t) {
+				DEBUG(0, ("talloc_string_sub: out of "
+					  "memory!\n"));
+				SAFE_FREE(in);
+				return NULL;
+			}
+			string = t;
+			p = t + offset + (p - s);
+		}
+		if (li != lp) {
+			memmove(p+li,p+lp,strlen(p+lp)+1);
+		}
+		memcpy(p, in, li);
+		s = p + li;
+		ls += ld;
+	}
+	SAFE_FREE(in);
+	return string;
+}
+
 /**
  Similar to string_sub() but allows for any character to be substituted. 
  Use with caution!
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index e683f397b6..1d9b77afee 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -419,16 +419,21 @@ done:
 	if ( NT_STATUS_IS_OK(result) &&
 	     (state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
 
-		char *afsname = SMB_STRDUP(lp_afs_username_map());
+		char *afsname = talloc_strdup(state->mem_ctx,
+					      lp_afs_username_map());
 		char *cell;
 
 		if (afsname == NULL) {
 			goto no_token;
 		}
 
-		afsname = realloc_string_sub(afsname, "%D", name_domain);
-		afsname = realloc_string_sub(afsname, "%u", name_user);
-		afsname = realloc_string_sub(afsname, "%U", name_user);
+		afsname = talloc_string_sub(state->mem_ctx,
+					    lp_afs_username_map(),
+					    "%D", name_domain);
+		afsname = talloc_string_sub(state->mem_ctx, afsname,
+					    "%u", name_user);
+		afsname = talloc_string_sub(state->mem_ctx, afsname,
+					    "%U", name_user);
 
 		{
 			DOM_SID user_sid;
@@ -437,7 +442,8 @@ done:
 			sid_copy(&user_sid, &info3.dom_sid.sid);
 			sid_append_rid(&user_sid, info3.user_rid);
 			sid_to_string(sidstr, &user_sid);
-			afsname = realloc_string_sub(afsname, "%s", sidstr);
+			afsname = talloc_string_sub(state->mem_ctx, afsname,
+						    "%s", sidstr);
 		}
 
 		if (afsname == NULL) {
@@ -466,7 +472,7 @@ done:
 				strlen(state->response.extra_data)+1;
 
 	no_token:
-		SAFE_FREE(afsname);
+		talloc_free(afsname);
 	}
 		
 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 20cf2d328e..cb0bc8eeb6 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -3708,8 +3708,7 @@ char *get_ldap_filter(TALLOC_CTX *mem_ctx, const char *username)
 	escaped = escape_ldap_string_alloc(username);
 	if (escaped == NULL) goto done;
 
-	filter = realloc_string_sub(filter, "%u", username);
-	result = talloc_strdup(mem_ctx, filter);
+	result = talloc_string_sub(mem_ctx, filter, "%u", username);
 
  done:
 	SAFE_FREE(filter);