From 63609fbb04d2ce620338b4b79e7c1abf39f08ef8 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Sat, 9 Dec 2006 02:58:18 +0000
Subject: r20090: Fix a class of bugs found by James Peach. Ensure we never mix
 malloc and talloc'ed contexts in the add_XX_to_array() and
 add_XX_to_array_unique() calls. Ensure that these calls always return False
 on out of memory, True otherwise and always check them. Ensure that the
 relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED
 not SAFE_FREE'd. James - this should fix your crash bug in both branches.
 Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)

---
 source3/lib/system_smbd.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'source3/lib/system_smbd.c')

diff --git a/source3/lib/system_smbd.c b/source3/lib/system_smbd.c
index fc506c901d..509b2bbcb1 100644
--- a/source3/lib/system_smbd.c
+++ b/source3/lib/system_smbd.c
@@ -181,11 +181,18 @@ BOOL getgroups_unix_user(TALLOC_CTX *mem_ctx, const char *user,
 	groups = NULL;
 
 	/* Add in primary group first */
-	add_gid_to_array_unique(mem_ctx, primary_gid, &groups, &ngrp);
+	if (!add_gid_to_array_unique(mem_ctx, primary_gid, &groups, &ngrp)) {
+		SAFE_FREE(temp_groups);
+		return False;
+	}
 
-	for (i=0; i<max_grp; i++)
-		add_gid_to_array_unique(mem_ctx, temp_groups[i],
-					&groups, &ngrp);
+	for (i=0; i<max_grp; i++) {
+		if (!add_gid_to_array_unique(mem_ctx, temp_groups[i],
+					&groups, &ngrp)) {
+			SAFE_FREE(temp_groups);
+			return False;
+		}
+	}
 
 	*p_ngroups = ngrp;
 	*ret_groups = groups;
-- 
cgit