Fix a segfault in wbcLookupSid

If the BAIL_ON_WBC_ERROR directly after wbcRequestResponse kicks in, *domain
and *name have not been initialized yet. So the cleanup routine in the done:
part of the routine (which did not check for domain!=NULL etc) would access
uninitialized memory.

Jerry, please check!

Thanks,

Volker
(cherry picked from commit 3d7e0cc40b1992f4555807acec4f00450e30e2de)
(This used to be commit ac5ba26bb0488c3fb95072d84898c02b72c5b819)

diff --git a/source3/nsswitch/libwbclient/wbc_sid.c b/source3/nsswitch/libwbclient/wbc_sid.c
index 500be2f3421d8c11afb89344774b73f53603fa43..93281a85fee7fc9e8740c32bd2c66b4eca2398d6 100644 (file)
--- a/source3/nsswitch/libwbclient/wbc_sid.c
+++ b/source3/nsswitch/libwbclient/wbc_sid.c
@@ -228,14 +228,17 @@ wbcErr wbcLookupName(const char *domain,
  **/
 
 wbcErr wbcLookupSid(const struct wbcDomainSid *sid,
-                   char **domain,
-                   char **name,
-                   enum wbcSidType *name_type)
+                   char **pdomain,
+                   char **pname,
+                   enum wbcSidType *pname_type)
 {
        struct winbindd_request request;
        struct winbindd_response response;
        wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
        char *sid_string = NULL;
+       char *domain = NULL;
+       char *name = NULL;
+       enum wbcSidType name_type;
 
        if (!sid) {
                wbc_status = WBC_ERR_INVALID_PARAM;
@@ -264,28 +267,35 @@ wbcErr wbcLookupSid(const struct wbcDomainSid *sid,
 
        /* Copy out result */
 
-       if (domain != NULL) {
-               *domain = talloc_strdup(NULL, response.data.name.dom_name);
-               BAIL_ON_PTR_ERROR((*domain), wbc_status);
-       }
+       domain = talloc_strdup(NULL, response.data.name.dom_name);
+       BAIL_ON_PTR_ERROR(domain, wbc_status);
 
-       if (name != NULL) {
-               *name = talloc_strdup(NULL, response.data.name.name);
-               BAIL_ON_PTR_ERROR((*name), wbc_status);
-       }
+       name = talloc_strdup(NULL, response.data.name.name);
+       BAIL_ON_PTR_ERROR(name, wbc_status);
 
-       if (name_type) {
-               *name_type = (enum wbcSidType)response.data.name.type;
-       }
+       name_type = (enum wbcSidType)response.data.name.type;
 
        wbc_status = WBC_ERR_SUCCESS;
 
  done:
-       if (!WBC_ERROR_IS_OK(wbc_status)) {
-               if (*domain)
-                       talloc_free(*domain);
-               if (*name)
-                       talloc_free(*name);
+       if (WBC_ERROR_IS_OK(wbc_status)) {
+               if (pdomain != NULL) {
+                       *pdomain = domain;
+               }
+               if (pname != NULL) {
+                       *pname = name;
+               }
+               if (pname_type != NULL) {
+                       *pname_type = name_type;
+               }
+       }
+       else {
+               if (name != NULL) {
+                       talloc_free(name);
+               }
+               if (domain != NULL) {
+                       talloc_free(domain);
+               }
        }
 
        return wbc_status;