ldb: Avoid use-after-free when one error message is printed into another

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c
index 0f0f5ab99b69b805cd0535399ca9d7c4c34abc11..a824c7a1e27fb3a7455d58eb0ecd425c3d1e9cb4 100644 (file)
--- a/lib/ldb/common/ldb.c
+++ b/lib/ldb/common/ldb.c
@@ -284,15 +284,17 @@ void ldb_set_errstring(struct ldb_context *ldb, const char *err_string)
 void ldb_asprintf_errstring(struct ldb_context *ldb, const char *format, ...)
 {
        va_list ap;
-
+       char *old_err_string = NULL;
        if (ldb->err_string) {
-               talloc_free(ldb->err_string);
+               old_err_string = ldb->err_string;
        }
 
        va_start(ap, format);
        ldb->err_string = talloc_vasprintf(ldb, format, ap);
        va_end(ap);
 
+       TALLOC_FREE(old_err_string);
+       
        if (ldb->flags & LDB_FLG_ENABLE_TRACING) {
                ldb_debug(ldb, LDB_DEBUG_TRACE, "ldb_asprintf/set_errstring: %s",
                          ldb->err_string);