libcli/security: avoid usage of dom_sid_parse_talloc() in sec_access_check_ds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 83b7f9bd6cb07509194c759e727fb4ede4d3f587..f0a7b665c75dd37e15da9cebf639d4a1a2aaa9c7 100644 (file)
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -389,7 +389,9 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
        uint32_t bits_remaining;
        struct object_tree *node;
        const struct GUID *type;
-       struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF);
+       struct dom_sid self_sid;
+
+       dom_sid_parse(SID_NT_SELF, &self_sid);
 
        *access_granted = access_desired;
        bits_remaining = access_desired;
@@ -406,7 +408,6 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
                if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
                        bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
                } else {
-                       talloc_free(ps_sid);
                        return NT_STATUS_PRIVILEGE_NOT_HELD;
                }
        }
@@ -430,7 +431,6 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
        /* a NULL dacl allows access */
        if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
                *access_granted = access_desired;
-               talloc_free(ps_sid);
                return NT_STATUS_OK;
        }
 
@@ -447,7 +447,7 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
                        continue;
                }
 
-               if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) {
+               if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) {
                        trustee = replace_sid;
                } else {
                        trustee = &ace->trustee;
@@ -467,7 +467,6 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
                        break;
                case SEC_ACE_TYPE_ACCESS_DENIED:
                        if (bits_remaining & ace->access_mask) {
-                               talloc_free(ps_sid);
                                return NT_STATUS_ACCESS_DENIED;
                        }
                        break;
@@ -495,12 +494,10 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
                        if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
                                object_tree_modify_access(node, ace->access_mask);
                                if (node->remaining_access == 0) {
-                                       talloc_free(ps_sid);
                                        return NT_STATUS_OK;
                                }
                        } else {
                                if (node->remaining_access & ace->access_mask){
-                                       talloc_free(ps_sid);
                                        return NT_STATUS_ACCESS_DENIED;
                                }
                        }
@@ -511,7 +508,6 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
        }
 
 done:
-       talloc_free(ps_sid);
        if (bits_remaining != 0) {
                return NT_STATUS_ACCESS_DENIED;
        }