From 39b4feb503082cbbd036b2dcd741fe2ffe4aed76 Mon Sep 17 00:00:00 2001
From: Pavel Březina <pbrezina@redhat.com>
Date: Dec 19 2016 22:22:40 +0000
Subject: cache_req: fix initgroups by name


If overriden name was provided we stole already freed value.
Name is attached to "user" talloc context which we freed before
stealing the value. This caused crash in SSSD.

Resolves:
https://fedorahosted.org/sssd/ticket/3151

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

---

diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
index cc3795d..8755d7e 100644
--- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
@@ -152,9 +152,9 @@ cache_req_initgroups_by_name_dpreq_params(TALLOC_CTX *mem_ctx,
     }
 
     name = ldb_msg_find_attr_as_string(user->msgs[0], SYSDB_NAME, NULL);
-    talloc_free(user);
     if (name == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL\n");
+        talloc_free(user);
         return ERR_INTERNAL;
     }
 
@@ -162,6 +162,8 @@ cache_req_initgroups_by_name_dpreq_params(TALLOC_CTX *mem_ctx,
      * views unless some error occurred. */
     *_string = talloc_steal(mem_ctx, name);
 
+    talloc_free(user);
+
     return EOK;
 }