libcli/cldap: fix a crash bug in cldap_socket_recv_dgram() (bug #8593)

After a calling any wrapper of tevent_req_notify_callback(),
e.g. tevent_req_nterror(), tevent_req_done(), tevent_req_nomem(),
a function has to return immediately otherwise it is very likely to
crash.

metze

(similar to commit 17f1a97a614db4ed8292544988cb6a6cf56621d8)

diff --git a/libcli/cldap/cldap.c b/libcli/cldap/cldap.c
index 363ffbd1dc5a6c1c3182b18fab50dc08a8691453..aa34a6d6cf4a25f4b576b14401867394e597a7e1 100644 (file)
--- a/libcli/cldap/cldap.c
+++ b/libcli/cldap/cldap.c
@@ -273,12 +273,9 @@ static bool cldap_socket_recv_dgram(struct cldap_socket *c,
 
        DLIST_REMOVE(c->searches.list, search);
 
-       if (!cldap_recvfrom_setup(c)) {
-               goto nomem;
-       }
+       cldap_recvfrom_setup(c);
 
        tevent_req_done(search->req);
-       talloc_free(in);
        return true;
 
 nomem:
@@ -286,6 +283,7 @@ nomem:
 error:
        status = map_nt_error_from_unix(in->recv_errno);
 nterror:
+       TALLOC_FREE(in);
        /* in connected mode the first pending search gets the error */
        if (!c->connected) {
                /* otherwise we just ignore the error */
@@ -294,9 +292,11 @@ nterror:
        if (!c->searches.list) {
                goto done;
        }
+       cldap_recvfrom_setup(c);
        tevent_req_nterror(c->searches.list->req, status);
+       return true;
 done:
-       talloc_free(in);
+       TALLOC_FREE(in);
        return false;
 }