Coverity complains of a use-after-free in source3/libads/ldap_schema.c:ads_get_attrname_by_guild

[Richard Sharpe]

Hi folks,

At line 141 we see:

        rc = ads_do_search_retry(ads, schema_path, LDAP_SCOPE_SUBTREE,
                                 expr, attrs, &res);
        if (!ADS_ERR_OK(rc)) {
                goto done;
        }

        if (ads_count_replies(ads, res) != 1) {
                goto done;
        }

        result = ads_pull_string(ads, mem_ctx, res, "lDAPDisplayName");

 done:
        TALLOC_FREE(guid_bin);
        ads_msgfree(ads, res);
        return result;

}


However, ads_do_search_retry will free the object pointed to by ads
when an error occurs, it seems. Then after done: we call ads_msgfree
and pass ads.

Looks like a use after free to me.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)