From 63609fbb04d2ce620338b4b79e7c1abf39f08ef8 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Sat, 9 Dec 2006 02:58:18 +0000
Subject: r20090: Fix a class of bugs found by James Peach. Ensure we never mix
 malloc and talloc'ed contexts in the add_XX_to_array() and
 add_XX_to_array_unique() calls. Ensure that these calls always return False
 on out of memory, True otherwise and always check them. Ensure that the
 relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED
 not SAFE_FREE'd. James - this should fix your crash bug in both branches.
 Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)

---
 source3/nsswitch/winbindd_async.c | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

(limited to 'source3/nsswitch/winbindd_async.c')

diff --git a/source3/nsswitch/winbindd_async.c b/source3/nsswitch/winbindd_async.c
index 4021106516..607a9947ea 100644
--- a/source3/nsswitch/winbindd_async.c
+++ b/source3/nsswitch/winbindd_async.c
@@ -774,7 +774,9 @@ static BOOL parse_sidlist(TALLOC_CTX *mem_ctx, char *sidstr,
 			DEBUG(0, ("Could not parse sid %s\n", p));
 			return False;
 		}
-		add_sid_to_array(mem_ctx, &sid, sids, num_sids);
+		if (!add_sid_to_array(mem_ctx, &sid, sids, num_sids)) {
+			return False;
+		}
 		p = q;
 	}
 	return True;
@@ -985,7 +987,9 @@ enum winbindd_result winbindd_dual_getsidaliases(struct winbindd_domain *domain,
 		DEBUGADD(10, (" rid %d\n", alias_rids[i]));
 		sid_copy(&sid, &domain->sid);
 		sid_append_rid(&sid, alias_rids[i]);
-		add_sid_to_array(state->mem_ctx, &sid, &sids, &num_sids);
+		if (!add_sid_to_array(state->mem_ctx, &sid, &sids, &num_sids)) {
+			return WINBINDD_ERROR;
+		}
 	}
 
 
@@ -1096,8 +1100,12 @@ static void gettoken_recvdomgroups(TALLOC_CTX *mem_ctx, BOOL success,
 	state->sids = NULL;
 	state->num_sids = 0;
 
-	add_sid_to_array(mem_ctx, &state->user_sid, &state->sids,
-			 &state->num_sids);
+	if (!add_sid_to_array(mem_ctx, &state->user_sid, &state->sids,
+			 &state->num_sids)) {
+		DEBUG(0, ("Out of memory\n"));
+		state->cont(state->private_data, False, NULL, 0);
+		return;
+	}
 
 	if (sids_str && !parse_sidlist(mem_ctx, sids_str, &state->sids,
 			   &state->num_sids)) {
@@ -1133,9 +1141,14 @@ static void gettoken_recvaliases(void *private_data, BOOL success,
 		return;
 	}
 
-	for (i=0; i<num_aliases; i++)
-		add_sid_to_array(state->mem_ctx, &aliases[i],
-				 &state->sids, &state->num_sids);
+	for (i=0; i<num_aliases; i++) {
+		if (!add_sid_to_array(state->mem_ctx, &aliases[i],
+				 &state->sids, &state->num_sids)) {
+			DEBUG(0, ("Out of memory\n"));
+			state->cont(state->private_data, False, NULL, 0);
+			return;
+		}
+	}
 
 	if (state->local_alias_domain != NULL) {
 		struct winbindd_domain *local_domain = state->local_alias_domain;
-- 
cgit