libcli/auth: Ensure that the dns_names in/out parameter is preserved

This is in dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords, which has
status variables filled in by the server and placed in this in/out
array.

This showed up as a segfault in winbindd during RODC DNS update.

Andrew Bartlett

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index d709e6a7b3d2a3d681ae330162b08d25dffc8236..a461dc600dd127edb32563bfa6f582fc312cb76b 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -2754,7 +2754,14 @@ static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done(struct tev
        NTSTATUS result;
        bool ok;
 
-       status = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_recv(subreq, state,
+       /*
+        * We use state->dns_names as the memory context, as this is
+        * the only in/out variable and it has been overwritten by the
+        * out parameter from the server.
+        *
+        * We need to preserve the return value until the caller can use it.
+        */
+       status = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_recv(subreq, state->dns_names,
                                                                    &result);
        TALLOC_FREE(subreq);
        if (tevent_req_nterror(req, status)) {