s3: Fix a segfault in winbindd_dual_ccache_ntlm_auth()

ntlmssp_update allocates the reply_blob as a child of ntlmssp_state. This means
with ntlmss_end() it will be gone. winbindd_dual_ccache_ntlm_auth used the blob
after the ntlmssp_end().
(cherry picked from commit 43c841b6bd92e987109df81b6b8a2b85f21b0181)

Addresses bug #7027 (winbindd crash in winbindd_dual_ccache_ntlm_auth due to
freed memory reference.)

diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c
index f0c77b2a7b23ad72c5397459970d664469c6f59d..508bda410523563ff9902d6f36c48bae0545fa17 100644 (file)
--- a/source3/winbindd/winbindd_ccache_access.c
+++ b/source3/winbindd/winbindd_ccache_access.c
@@ -115,7 +115,7 @@ static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
                data_blob_free(&reply);
                goto done;
        }
-       *auth_msg = reply;
+       *auth_msg = data_blob(reply.data, reply.length);
        status = NT_STATUS_OK;
 
 done: