From f6bc4c08b19f5615a49d281c0792c7fe4627e9bc Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Fri, 1 Oct 2010 10:26:49 -0700
Subject: s4-rpmd: fixed a use after realloc bug

we could use old_el after the base message had been re allocated, due
to adding timestamps. We need to re-find the element before using it

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 17dcba5929..198bb802cb 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -4016,12 +4016,18 @@ linked_attributes[0]:
 	   has changed */
 	if (add_time_element(msg, "whenChanged", t) != LDB_SUCCESS) {
 		talloc_free(tmp_ctx);
-		return LDB_ERR_OPERATIONS_ERROR;
+		return ldb_operr(ldb);
 	}
 
 	if (add_uint64_element(msg, "uSNChanged", seq_num) != LDB_SUCCESS) {
 		talloc_free(tmp_ctx);
-		return LDB_ERR_OPERATIONS_ERROR;
+		return ldb_operr(ldb);
+	}
+
+	old_el = ldb_msg_find_element(msg, attr->lDAPDisplayName);
+	if (old_el == NULL) {
+		talloc_free(tmp_ctx);
+		return ldb_operr(ldb);
 	}
 
 	ret = dsdb_check_single_valued_link(attr, old_el);
-- 
cgit