s3:registry: Fix possible memory leak in _reg_perfcount_multi_sz_from_tdb()

Found by covscan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567

Pair-Programmed-With: Justin Stephenson <jstephen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Aug 11 04:43:15 CEST 2018 on sn-devel-144

diff --git a/source3/registry/reg_perfcount.c b/source3/registry/reg_perfcount.c
index db4451ecdeb0b3f61361d02318ec7b7e45d0bd28..e31f8991642f914376db7520d07c91875a10d4bc 100644 (file)
--- a/source3/registry/reg_perfcount.c
+++ b/source3/registry/reg_perfcount.c
@@ -168,6 +168,7 @@ static uint32_t _reg_perfcount_multi_sz_from_tdb(TDB_CONTEXT *tdb,
        TDB_DATA kbuf, dbuf;
        char temp[PERFCOUNT_MAX_LEN] = {0};
        char *buf1 = *retbuf;
+       char *p = NULL;
        uint32_t working_size = 0;
        DATA_BLOB name_index, name;
        bool ok;
@@ -185,13 +186,16 @@ static uint32_t _reg_perfcount_multi_sz_from_tdb(TDB_CONTEXT *tdb,
        }
        /* First encode the name_index */
        working_size = (kbuf.dsize + 1)*sizeof(uint16_t);
-       buf1 = (char *)SMB_REALLOC(buf1, buffer_size + working_size);
-       if(!buf1) {
+       p = (char *)SMB_REALLOC(buf1, buffer_size + working_size);
+       if (p == NULL) {
+               SAFE_FREE(buf1);
                buffer_size = 0;
                return buffer_size;
        }
+       buf1 = p;
        ok = push_reg_sz(talloc_tos(), &name_index, (const char *)kbuf.dptr);
        if (!ok) {
+               SAFE_FREE(buf1);
                buffer_size = 0;
                return buffer_size;
        }
@@ -199,16 +203,19 @@ static uint32_t _reg_perfcount_multi_sz_from_tdb(TDB_CONTEXT *tdb,
        buffer_size += working_size;
        /* Now encode the actual name */
        working_size = (dbuf.dsize + 1)*sizeof(uint16_t);
-       buf1 = (char *)SMB_REALLOC(buf1, buffer_size + working_size);
-       if(!buf1) {
+       p = (char *)SMB_REALLOC(buf1, buffer_size + working_size);
+       if (p == NULL) {
+               SAFE_FREE(buf1);
                buffer_size = 0;
                return buffer_size;
        }
+       buf1 = p;
        memset(temp, 0, sizeof(temp));
        memcpy(temp, dbuf.dptr, dbuf.dsize);
        SAFE_FREE(dbuf.dptr);
        ok = push_reg_sz(talloc_tos(), &name, temp);
        if (!ok) {
+               SAFE_FREE(buf1);
                buffer_size = 0;
                return buffer_size;
        }