diff options
| author | Stefan Metzmacher <metze@samba.org> | 2009-10-23 17:23:56 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2009-10-24 11:59:14 +0200 |
| commit | f2da9c8c1a2f7a4b805f43fd643f877c9274799a (patch) | |
| tree | 6cf69653fc08e9f7149be678ca4e7f0e7bfd075f /libcli | |
| parent | 5ae1d700ebf4b6bb63128f50c01ce4365b4e8d94 (diff) | |
| download | samba-f2da9c8c1a2f7a4b805f43fd643f877c9274799a.tar.gz samba-f2da9c8c1a2f7a4b805f43fd643f877c9274799a.tar.xz samba-f2da9c8c1a2f7a4b805f43fd643f877c9274799a.zip | |
libcli/auth: fix memory leak in schannel_creds_server_step_check_ldb()
metze
Diffstat (limited to 'libcli')
| -rw-r--r-- | libcli/auth/schannel_state_ldb.c | 61 |
1 files changed, 37 insertions, 24 deletions
diff --git a/libcli/auth/schannel_state_ldb.c b/libcli/auth/schannel_state_ldb.c index 161c5378eae..ba3d96fcf7e 100644 --- a/libcli/auth/schannel_state_ldb.c +++ b/libcli/auth/schannel_state_ldb.c @@ -270,10 +270,21 @@ NTSTATUS schannel_creds_server_step_check_ldb(struct ldb_context *ldb, struct netr_Authenticator *return_authenticator, struct netlogon_creds_CredentialState **creds_out) { - struct netlogon_creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds = NULL; NTSTATUS nt_status; int ret; + /* If we are flaged that schannel is required for a call, and + * it is not in use, then make this an error */ + + /* It would be good to make this mandetory once schannel is + * negoiated, but this is not what windows does */ + if (schannel_required_for_call && !schannel_in_use) { + DEBUG(0,("schannel_creds_server_step_check: client %s not using schannel for netlogon, despite negotiating it\n", + creds->computer_name )); + return NT_STATUS_ACCESS_DENIED; + } + ret = ldb_transaction_start(ldb); if (ret != 0) { return NT_STATUS_INTERNAL_DB_CORRUPTION; @@ -285,37 +296,39 @@ NTSTATUS schannel_creds_server_step_check_ldb(struct ldb_context *ldb, nt_status = schannel_fetch_session_key_ldb(ldb, ldb, computer_name, &creds); + if (!NT_STATUS_IS_OK(nt_status)) { + ldb_transaction_cancel(ldb); + return nt_status; + } - /* If we are flaged that schannel is required for a call, and - * it is not in use, then make this an error */ - - /* It would be good to make this mandetory once schannel is - * negoiated, bu this is not what windows does */ - if (schannel_required_for_call && !schannel_in_use) { - DEBUG(0,("schannel_creds_server_step_check: client %s not using schannel for netlogon, despite negotiating it\n", - creds->computer_name )); + nt_status = netlogon_creds_server_step_check(creds, + received_authenticator, + return_authenticator); + if (!NT_STATUS_IS_OK(nt_status)) { ldb_transaction_cancel(ldb); - return NT_STATUS_ACCESS_DENIED; + talloc_free(creds); + return nt_status; } - if (NT_STATUS_IS_OK(nt_status)) { - nt_status = netlogon_creds_server_step_check(creds, - received_authenticator, - return_authenticator); + nt_status = schannel_store_session_key_ldb(ldb, mem_ctx, creds); + if (!NT_STATUS_IS_OK(nt_status)) { + ldb_transaction_cancel(ldb); + talloc_free(creds); + return nt_status; } - if (NT_STATUS_IS_OK(nt_status)) { - nt_status = schannel_store_session_key_ldb(ldb, mem_ctx, creds); + ldb_transaction_commit(ldb); + if (ret != 0) { + talloc_free(creds); + return NT_STATUS_INTERNAL_DB_CORRUPTION; } - if (NT_STATUS_IS_OK(nt_status)) { - ldb_transaction_commit(ldb); - if (creds_out) { - *creds_out = creds; - talloc_steal(mem_ctx, creds); - } + if (creds_out) { + *creds_out = creds; + talloc_steal(mem_ctx, creds); } else { - ldb_transaction_cancel(ldb); + talloc_free(creds); } - return nt_status; + + return NT_STATUS_OK; } |