nsswitch: fix use-after-free causing segfault in _pam_delete_cred

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14327

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Mar 30 13:01:20 UTC 2020 on sn-devel-184

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 3ad70d3c4cdc83886d6e618fd102357c2b756b1d..7af03fe2bd083bd16f7ad5a1201447569abee281 100644 (file)
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -2609,7 +2609,6 @@ static int _pam_delete_cred(pam_handle_t *pamh, int flags,
                wbc_status = wbcCtxLogoffUserEx(ctx->wbc_ctx, &logoff, &error);
                retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
                                                     user, "wbcLogoffUser");
-               wbcFreeMemory(error);
                wbcFreeMemory(logoff.blobs);
                logoff.blobs = NULL;
 
@@ -2629,6 +2628,7 @@ out:
                retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
                     user, "wbcLogoffUser");
        }
+       wbcFreeMemory(error);
 
        /*
         * Delete the krb5 ccname variable from the PAM environment