s4:kdc:mit: Fix heap-use-after-free

We need to duplicate the string as lp_load() will free the s4_conf_file
pointer and set it again.

Found with AddressSanitizer.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 54dcd545ea12df70a0a257ae7c3e6719879e86cb..feacc1b5f191e8ecc8eafac8c3613a7bd3ae56ba 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -81,8 +81,14 @@ int mit_samba_context_init(struct mit_samba_context **_ctx)
 
        /* init s4 configuration */
        s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
-       if (s4_conf_file) {
-               lpcfg_load(base_ctx.lp_ctx, s4_conf_file);
+       if (s4_conf_file != NULL) {
+               char *p = talloc_strdup(ctx, s4_conf_file);
+               if (p == NULL) {
+                       ret = ENOMEM;
+                       goto done;
+               }
+               lpcfg_load(base_ctx.lp_ctx, p);
+               TALLOC_FREE(p);
        } else {
                lpcfg_load_default(base_ctx.lp_ctx);
        }