From 39b4feb503082cbbd036b2dcd741fe2ffe4aed76 Mon Sep 17 00:00:00 2001
From: Pavel Březina <pbrezina@redhat.com>
Date: Fri, 25 Nov 2016 13:08:11 +0100
Subject: cache_req: fix initgroups by name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If overriden name was provided we stole already freed value.
Name is attached to "user" talloc context which we freed before
stealing the value. This caused crash in SSSD.

Resolves:
https://fedorahosted.org/sssd/ticket/3151

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/responder/common/cache_req/plugins')

diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
index cc3795d56..8755d7e9c 100644
--- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
@@ -152,9 +152,9 @@ cache_req_initgroups_by_name_dpreq_params(TALLOC_CTX *mem_ctx,
     }
 
     name = ldb_msg_find_attr_as_string(user->msgs[0], SYSDB_NAME, NULL);
-    talloc_free(user);
     if (name == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL\n");
+        talloc_free(user);
         return ERR_INTERNAL;
     }
 
@@ -162,6 +162,8 @@ cache_req_initgroups_by_name_dpreq_params(TALLOC_CTX *mem_ctx,
      * views unless some error occurred. */
     *_string = talloc_steal(mem_ctx, name);
 
+    talloc_free(user);
+
     return EOK;
 }
 
-- 
cgit