s4:ldb_map Fix use-after-free of memory in ldb_map
[ira/wip.git] / source4 / lib / ldb / ldb_map / ldb_map_outbound.c
index 6a8e796ca4646d0b5d93c340e07df3a16779c46a..45caffeeae028e9b1c55818ec59c4284f063eb8f 100644 (file)
@@ -1261,7 +1261,7 @@ static int map_remote_search_callback(struct ldb_request *req,
                        return ret;
                }
 
-               talloc_free(ares);
+               ac->remote_done_ares = talloc_steal(ac, ares);
 
                ret = map_search_local(ac);
                if (ret != LDB_SUCCESS) {
@@ -1333,6 +1333,7 @@ int map_local_merge_callback(struct ldb_request *req, struct ldb_reply *ares)
                break;
 
        case LDB_REPLY_DONE:
+               /* We don't need the local 'ares', but we will use the remote one from below */
                talloc_free(ares);
 
                /* No local record found, map and send remote record */
@@ -1371,9 +1372,9 @@ int map_local_merge_callback(struct ldb_request *req, struct ldb_reply *ares)
                /* ok we are done with all search, finally it is time to
                 * finish operations for this module */
                return ldb_module_done(ac->req,
-                                       ac->r_current->remote->controls,
-                                       ac->r_current->remote->response,
-                                       ac->r_current->remote->error);
+                                       ac->remote_done_ares->controls,
+                                       ac->remote_done_ares->response,
+                                       ac->remote_done_ares->error);
        }
 
        return LDB_SUCCESS;