1 files changed, 20 insertions, 4 deletions

diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index e9dc46aa3c..18d8b643dd 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -426,9 +426,14 @@ static NTSTATUS srv_enc_spnego_gss_negotiate(unsigned char **ppdata, size_t *p_d
 	data_blob_free(&auth_reply);
 
 	SAFE_FREE(*ppdata);
-	*ppdata = response.data;
+	*ppdata = memdup(response.data, response.length);
+	if ((*ppdata) == NULL && response.length > 0) {
+		status = NT_STATUS_NO_MEMORY;
+	}
 	*p_data_size = response.length;
 
+	data_blob_free(&response);
+
 	return status;
 }
 #endif
@@ -463,8 +468,13 @@ static NTSTATUS srv_enc_ntlm_negotiate(unsigned char **ppdata, size_t *p_data_si
 	}
 
 	SAFE_FREE(*ppdata);
-	*ppdata = response.data;
+	*ppdata = memdup(response.data, response.length);
+	if ((*ppdata) == NULL && response.length > 0) {
+		status = NT_STATUS_NO_MEMORY;
+	}
 	*p_data_size = response.length;
+	data_blob_free(&response);
+
 	return status;
 }
 
@@ -585,8 +595,11 @@ static NTSTATUS srv_enc_spnego_ntlm_auth(connection_struct *conn,
 	}
 
 	SAFE_FREE(*ppdata);
-	*ppdata = response.data;
+	*ppdata = memdup(response.data, response.length);
+	if ((*ppdata) == NULL && response.length > 0)
+		return NT_STATUS_NO_MEMORY;
 	*p_data_size = response.length;
+	data_blob_free(&response);
 	return status;
 }
 
@@ -636,8 +649,11 @@ static NTSTATUS srv_enc_raw_ntlm_auth(connection_struct *conn,
 
 	/* Return the raw blob. */
 	SAFE_FREE(*ppdata);
-	*ppdata = response.data;
+	*ppdata = memdup(response.data, response.length);
+	if ((*ppdata) == NULL && response.length > 0)
+		return NT_STATUS_NO_MEMORY;
 	*p_data_size = response.length;
+	data_blob_free(&response);
 	return status;
 }