[PATCH 10/12] winbindd: Do not use group_list->out.resume_index after free

Kamen Mazdrashki kamenim at samba.org
Sun Sep 7 21:40:07 MDT 2014 

Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>

On Mon, Sep 8, 2014 at 1:30 AM, <abartlet at samba.org> wrote:

> From: Andrew Bartlett <abartlet at samba.org>
>
> Found by AddressSanitizer
>
> Change-Id: I59009144b28c390ddb80b7b3fbb4007dfd16db0e
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> ---
>  source4/winbind/wb_cmd_setgrent.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/source4/winbind/wb_cmd_setgrent.c
> b/source4/winbind/wb_cmd_setgrent.c
> index 452d9e7..aed5c70 100644
> --- a/source4/winbind/wb_cmd_setgrent.c
> +++ b/source4/winbind/wb_cmd_setgrent.c
> @@ -115,6 +115,7 @@ static void cmd_setgrent_recv_group_list(struct
> composite_context *ctx)
>                         group_list);
>         if (NT_STATUS_IS_OK(state->ctx->status) ||
>                 NT_STATUS_EQUAL(state->ctx->status, STATUS_MORE_ENTRIES)) {
> +               uint32_t resume_index = group_list->out.resume_index;
>                 if( state->result->page_index == -1) { /* First run*/
>                         state->result->group_list = group_list;
>                         state->result->page_index = 0;
> @@ -130,7 +131,7 @@ static void cmd_setgrent_recv_group_list(struct
> composite_context *ctx)
>
> tmp[i+state->result->group_list->out.count].groupname =
> talloc_steal(state->result,group_list->out.groups[i].groupname);
>                         }
>                         state->result->group_list->out.count +=
> group_list->out.count;
> -                       talloc_free(group_list);
> +                       TALLOC_FREE(group_list);
>                 }
>
>
> @@ -140,7 +141,7 @@ static void cmd_setgrent_recv_group_list(struct
> composite_context *ctx)
>                         group_list_send = talloc(state->result, struct
> libnet_GroupList);
>                         if (composite_nomem(group_list_send, state->ctx))
> return;
>                         group_list_send->in.domain_name =
> talloc_strdup(state, state->domain_name);
> -                       group_list_send->in.resume_index =
> group_list->out.resume_index;
> +                       group_list_send->in.resume_index = resume_index;
>                         group_list_send->in.page_size = 128;
>                         ctx = libnet_GroupList_send(state->libnet_ctx,
> state->result, group_list_send, NULL);
>                         composite_continue(state->ctx, ctx,
> cmd_setgrent_recv_group_list, state);
> --
> 2.1.0
>
>

More information about the samba-technical mailing list