Created attachment 16515 [details] fix We have been going: tmp_ctx = talloc_new(ldb); /* ... */ for (i = 0; i < el->num_values; i++) { /* ... stuff using tmp_ctx ... */ if (various somethings) { TALLOC_FREE(tmp_ctx); continue; } } so if el->num_values > 1, and one of the various somethings is true, we have a use after free.
Actually this is just a leak, since the TALLOC_FREE nulls tmp_ctx, then everything else is allocated on NULL. Once there it is never freed.
A reference point for the scale of the leak: $ bin/ldbsearch -H st/ad_dc/private/sam.ldb '(&(objectClass=dnsNode)(dnsRecord:1.3.6.1.4.1.7165.4.5.3:=0))' --leak-report-full [...] full talloc report on 'null_context' (total 2227 bytes in 47 blocks) char contains 19 bytes in 1 blocks (ref 0) 0x55ec45c6cf20 struct dnsp_DnssrvRpcRecord contains 80 bytes in 1 blocks (ref 0) 0x55ec44be6d90 [...] There are 12 leaked records on the bare testenv, 99 bytes per record. If scavenging is enabled this will happen daily. A non-system user (e.g. the ldap server) is forbidden from running this search: $ bin/ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD '(&(objectClass=dnsNode)(dnsRecord:1.3.6.1.4.1.7165.4.5.3:=0))' search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Indexed and full searches both failed!
This bug was referenced in samba master: 56483a2799430d36dcb9036b8a6f5eece959ba9f
fixed in 4.15