s4:s3compat Fix use-after-free of winbindd client state

We need to remove this from the global list when we talloc_free() it.

diff --git a/source4/s3compat/s3compat_winbindd.c b/source4/s3compat/s3compat_winbindd.c
index 5b4b71fa0f2e85e74d9d6986d85f3655d2b1089e..ec48a15c4b0ae66e284cbc6491142eac0f2bc2b9 100644 (file)
--- a/source4/s3compat/s3compat_winbindd.c
+++ b/source4/s3compat/s3compat_winbindd.c
@@ -61,6 +61,12 @@ _PUBLIC_ void s3compat_initialise_winbindd(const char *config_file)
                 samba_version_string()));
 }
 
+static int winbindd_cli_state_destructor(struct winbindd_cli_state *state)
+{
+       winbindd_remove_client_from_list(state);
+       return 0;
+}
+
 /* Call into the source3/winbindd per-client code here, as we have
  * already bound to the sockets and accepted the connection at this
  * point */
@@ -75,6 +81,7 @@ _PUBLIC_ struct winbindd_cli_state *s3compat_winbindd_accepted_new_connection(st
        state->last_access = time(NULL);        
        state->wbsrv_conn = wbsrv_conn;
        winbindd_add_client(state);
+       talloc_set_destructor(state, winbindd_cli_state_destructor);
        return state;
 }