libcli/auth/spnego_parse.c: don't allocate blob from pool.

spnego_parse() allocates off the stackframe, but the result gets
stolen onto the request by gensec_spnego_update_out() at
auth/gensec/spnego.c:1260:

	talloc_steal(out_mem_ctx, _out->data);

pointer we're stealing:
  0x941e4a0 (DATA_BLOB: ../libcli/auth/spnego_parse.c:341) (in pool 0x9420858 ../source3/smbd/process.c:3590)
  0x941dfa8 (struct spnego_state) (in pool 0x9420858 ../source3/smbd/process.c:3590)
  0x941de70 (struct gensec_security) (in pool 0x9420858 ../source3/smbd/process.c:3590)
  0x9420858 (../source3/smbd/process.c:3590) (POOL)
  0x93f76e8 (TALLOC_CTX *)
  0x93e3058 (null_context)

context we're stealing onto:
  0x93ff860 (struct smb_request)
  0x9420430 (struct smbd_server_connection)
  0x93fc5e0 (struct smbXsrv_connection)
  0x93e6678 (struct tevent_context)
  0x93e3058 (null_context)

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
index 3bf7aeab6277c76576a9a6f75b6b5582f12b3177..936b5b1f8f984c6852cfd5d0d25eda584d146fba 100644 (file)
--- a/libcli/auth/spnego_parse.c
+++ b/libcli/auth/spnego_parse.c
@@ -338,7 +338,10 @@ ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_da
        }
 
        if (!asn1->has_error) {
-               *blob = data_blob_talloc(mem_ctx, asn1->data, asn1->length);
+               /* mem_ctx may be a pool, and we may steal this in
+                * gensec_spnego_update_out().  So don't allocate in the pool. */
+               *blob = data_blob_talloc(NULL, asn1->data, asn1->length);
+               blob->data = talloc_steal(mem_ctx, blob->data);
                ret = asn1->ofs;
        }
        asn1_free(asn1);