spnego_parse() allocates off the stackframe, but the result gets
stolen onto the request by gensec_spnego_update_out() at
auth/gensec/spnego.c:1260:
talloc_steal(out_mem_ctx, _out->data);
pointer we're stealing:
0x941e4a0 (DATA_BLOB: ../libcli/auth/spnego_parse.c:341) (in pool 0x9420858 ../source3/smbd/process.c:3590)
0x941dfa8 (struct spnego_state) (in pool 0x9420858 ../source3/smbd/process.c:3590)
0x941de70 (struct gensec_security) (in pool 0x9420858 ../source3/smbd/process.c:3590)
0x9420858 (../source3/smbd/process.c:3590) (POOL)
0x93f76e8 (TALLOC_CTX *)
0x93e3058 (null_context)
context we're stealing onto:
0x93ff860 (struct smb_request)
0x9420430 (struct smbd_server_connection)
0x93fc5e0 (struct smbXsrv_connection)
0x93e6678 (struct tevent_context)
0x93e3058 (null_context)
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
}
if (!asn1->has_error) {
- *blob = data_blob_talloc(mem_ctx, asn1->data, asn1->length);
+ /* mem_ctx may be a pool, and we may steal this in
+ * gensec_spnego_update_out(). So don't allocate in the pool. */
+ *blob = data_blob_talloc(NULL, asn1->data, asn1->length);
+ blob->data = talloc_steal(mem_ctx, blob->data);
ret = asn1->ofs;
}
asn1_free(asn1);