From 2e1ab13f6ebb2c2cf746457d4783fe9bc5e86de0 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 17 Aug 2012 23:04:56 +1000
Subject: s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid leaking memory
 onto part->dn

The confusing use of do_dn as a memory context while legitimate
created a bug when it was copied and modified to search on a DN from
long-term state.

By always using a temporary memory context it is clear what paramter
is the memory context.

This was found based on a log provided by Ricky Nance
<ricky.nance@weaubleau.k12.mo.us>.  Thanks Ricky!

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Aug 17 18:24:10 CEST 2012 on sn-devel-104
---
 source4/dsdb/kcc/kcc_deleted.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

(limited to 'source4/dsdb/kcc/kcc_deleted.c')

diff --git a/source4/dsdb/kcc/kcc_deleted.c b/source4/dsdb/kcc/kcc_deleted.c
index 0e1a42826c..63bb97c08d 100644
--- a/source4/dsdb/kcc/kcc_deleted.c
+++ b/source4/dsdb/kcc/kcc_deleted.c
@@ -83,30 +83,35 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 		struct ldb_result *res;
 		const char *attrs[] = { "whenChanged", NULL };
 		unsigned int i;
+		TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+		if (!tmp_ctx) {
+			return NT_STATUS_NO_MEMORY;
+		}
 
-		ret = dsdb_get_deleted_objects_dn(s->samdb, mem_ctx, part->dn, &do_dn);
+		ret = dsdb_get_deleted_objects_dn(s->samdb, tmp_ctx, part->dn, &do_dn);
 		if (ret != LDB_SUCCESS) {
+			TALLOC_FREE(tmp_ctx);
 			/* some partitions have no Deleted Objects
 			   container */
 			continue;
 		}
 
 		if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(s->samdb), part->dn)) {
-			ret = dsdb_search(s->samdb, do_dn, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
+			ret = dsdb_search(s->samdb, tmp_ctx, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
 					DSDB_SEARCH_SHOW_RECYCLED, NULL);
 		} else {
 			if (do_fs) {
 				DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n",
 						ldb_dn_get_linearized(part->dn)));
 			}
-			ret = dsdb_search(s->samdb, part->dn, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
+			ret = dsdb_search(s->samdb, tmp_ctx, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
 					DSDB_SEARCH_SHOW_RECYCLED, "(isDeleted=TRUE)");
 		}
 
 		if (ret != LDB_SUCCESS) {
 			DEBUG(1,(__location__ ": Failed to search for deleted objects in %s\n",
-				 ldb_dn_get_linearized(do_dn)));
-			talloc_free(do_dn);
+				 ldb_dn_get_linearized(do_dn)));	
+			TALLOC_FREE(tmp_ctx);
 			continue;
 		}
 
@@ -134,7 +139,7 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
 			}
 		}
 
-		talloc_free(do_dn);
+		TALLOC_FREE(tmp_ctx);
 	}
 
 	return NT_STATUS_OK;
-- 
cgit