s4-lsa: Fix a user after free in dcesrv_lsa_lookup_name().

Pair-Programmed-With: Volker Lendecke <vl@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index 07d5c2ff862e098b63a1b69df846d468aa353e83..40842f02bd00788f8df57dbd0dc6b3de5b3b0d6d 100644 (file)
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -305,19 +305,25 @@ static NTSTATUS dcesrv_lsa_lookup_name(struct tevent_context *ev_ctx,
                }
                if (strcasecmp_m(username, state->domain_dns) == 0) { 
                        *authority_name = state->domain_name;
-                       *sid =  state->domain_sid;
+                       *sid =  dom_sid_dup(mem_ctx, state->domain_sid);
+                       if (*sid == NULL) {
+                               return NT_STATUS_NO_MEMORY;
+                       }
                        *rtype = SID_NAME_DOMAIN;
                        *rid = 0xFFFFFFFF;
                        return NT_STATUS_OK;
                }
                if (strcasecmp_m(username, state->domain_name) == 0) { 
                        *authority_name = state->domain_name;
-                       *sid =  state->domain_sid;
+                       *sid =  dom_sid_dup(mem_ctx, state->domain_sid);
+                       if (*sid == NULL) {
+                               return NT_STATUS_NO_MEMORY;
+                       }
                        *rtype = SID_NAME_DOMAIN;
                        *rid = 0xFFFFFFFF;
                        return NT_STATUS_OK;
                }
-               
+
                /* Perhaps this is a well known user? */
                name = talloc_asprintf(mem_ctx, "%s\\%s", NAME_NT_AUTHORITY, username);
                if (!name) {