r20186: Fix winbind crash bug in WINBIND_GETGROUPS.

response_extra_sent() expects to free a malloced
extra_data.data while the add_XX_to_array functions all return talloced
memory now. Jeremy, please check.

Guenther
(This used to be commit 9f34c9f3695757819d728a17a1497247ea479ebf)

diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 612147043e6d49ad47846284c64c444c8c1d485b..deee07413c4dc1f68a85d9d40f2d4e2b935269a8 100644 (file)
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -1217,7 +1217,7 @@ static void getgroups_sid2gid_recv(void *private_data, BOOL success, gid_t gid)
                (struct getgroups_state *)private_data;
 
        if (success) {
-               if (!add_gid_to_array_unique(NULL, gid,
+               if (!add_gid_to_array_unique(s->state->mem_ctx, gid,
                                        &s->token_gids,
                                        &s->num_token_gids)) {
                        return;
@@ -1239,7 +1239,8 @@ static void getgroups_sid2gid_recv(void *private_data, BOOL success, gid_t gid)
        }
 
        s->state->response.data.num_entries = s->num_token_gids;
-       s->state->response.extra_data.data = s->token_gids;
+       /* s->token_gids are talloced */
+       s->state->response.extra_data.data = smb_xmemdup(s->token_gids, s->num_token_gids * sizeof(gid_t));
        s->state->response.length += s->num_token_gids * sizeof(gid_t);
        request_ok(s->state);
 }