Coverity complains of a use-after-free in source3/libads/ldap_schema.c:ads_get_attrname_by_guild

Richard Sharpe realrichardsharpe at
Fri Oct 18 13:06:46 MDT 2013

Hi folks,

At line 141 we see:

        rc = ads_do_search_retry(ads, schema_path, LDAP_SCOPE_SUBTREE,
                                 expr, attrs, &res);
        if (!ADS_ERR_OK(rc)) {
                goto done;

        if (ads_count_replies(ads, res) != 1) {
                goto done;

        result = ads_pull_string(ads, mem_ctx, res, "lDAPDisplayName");

        ads_msgfree(ads, res);
        return result;


However, ads_do_search_retry will free the object pointed to by ads
when an error occurs, it seems. Then after done: we call ads_msgfree
and pass ads.

Looks like a use after free to me.

Richard Sharpe

More information about the samba-technical mailing list