From 58371c33e924ecb793f71871712025424f3e80b5 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 11 Aug 2023 12:10:46 +1200
Subject: [PATCH] s4:kdc: Properly allocate claims set on a talloc context

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/kdc/ad_claims.c | 52 +++++++++++++++++++++++++----------------
 1 file changed, 32 insertions(+), 20 deletions(-)

diff --git a/source4/kdc/ad_claims.c b/source4/kdc/ad_claims.c
index 309ebe6f2cb..15b2efdf26f 100644
--- a/source4/kdc/ad_claims.c
+++ b/source4/kdc/ad_claims.c
@@ -458,7 +458,13 @@ static int fill_claim_entry(TALLOC_CTX *mem_ctx,
 			    struct CLAIM_ENTRY *claim_entry)
 {
 
-	claim_entry->id = (const char *)name.data;
+	claim_entry->id = talloc_strndup(mem_ctx,
+				     (const char *)name.data,
+				     name.length);
+	if (claim_entry->id == NULL) {
+		return ldb_oom(ldb);
+	}
+
 	claim_entry->type = claim_type;
 
 	switch (claim_type) {
@@ -821,7 +827,7 @@ static int get_all_claims(struct ldb_context *ldb,
 	unsigned i;
 
 	/* The structure which we'll use to build up the claims. */
-	struct CLAIMS_SET claims_set = {};
+	struct CLAIMS_SET *claims_set = NULL;
 
 	struct CLAIMS_ARRAY *ad_sourced_constructed = NULL;
 
@@ -834,6 +840,12 @@ static int get_all_claims(struct ldb_context *ldb,
 		return ldb_oom(ldb);
 	}
 
+	claims_set = talloc_zero(tmp_ctx, struct CLAIMS_SET);
+	if (claims_set == NULL) {
+		talloc_free(tmp_ctx);
+		return ldb_oom(ldb);
+	}
+
 	schema = dsdb_get_schema(ldb, tmp_ctx);
 	if (schema == NULL) {
 		talloc_free(tmp_ctx);
@@ -1060,16 +1072,16 @@ static int get_all_claims(struct ldb_context *ldb,
 			}
 
 			if (ad_sourced_constructed == NULL) {
-				claims_set.claims_arrays = talloc_realloc(tmp_ctx,
-									  claims_set.claims_arrays,
-									  struct CLAIMS_ARRAY,
-									  claims_set.claims_array_count + 1);
-				if (claims_set.claims_arrays == NULL) {
+				claims_set->claims_arrays = talloc_realloc(claims_set,
+									       claims_set->claims_arrays,
+									       struct CLAIMS_ARRAY,
+									       claims_set->claims_array_count + 1);
+				if (claims_set->claims_arrays == NULL) {
 					talloc_free(tmp_ctx);
 					return ldb_oom(ldb);
 				}
 
-				ad_sourced_constructed = &claims_set.claims_arrays[claims_set.claims_array_count++];
+				ad_sourced_constructed = &claims_set->claims_arrays[claims_set->claims_array_count++];
 				*ad_sourced_constructed = (struct CLAIMS_ARRAY) {
 					.claims_source_type = CLAIMS_SOURCE_TYPE_AD,
 				};
@@ -1077,7 +1089,7 @@ static int get_all_claims(struct ldb_context *ldb,
 
 			/* Add the claim to the array. */
 			ad_sourced_constructed->claim_entries = talloc_realloc(
-				tmp_ctx,
+				claims_set->claims_arrays,
 				ad_sourced_constructed->claim_entries,
 				struct CLAIM_ENTRY,
 				ad_sourced_constructed->claims_count + 1);
@@ -1161,7 +1173,7 @@ static int get_all_claims(struct ldb_context *ldb,
 		for (i = 0; i < ad_claims_count; ++i) {
 			const struct ldb_message_element *principal_attribute = NULL;
 			struct CLAIM_ENTRY *claim_entry = NULL;
-			uint32_t new_claims_array_count = claims_set.claims_array_count;
+			uint32_t new_claims_array_count = claims_set->claims_array_count;
 
 			/* Get the value of the claim attribute for the principal. */
 			principal_attribute = ldb_msg_find_element(principal_msg,
@@ -1173,23 +1185,23 @@ static int get_all_claims(struct ldb_context *ldb,
 			/* Add the claim to the array. */
 
 			if (ad_sourced_constructed == NULL) {
-				claims_set.claims_arrays = talloc_realloc(tmp_ctx,
-									  claims_set.claims_arrays,
-									  struct CLAIMS_ARRAY,
-									  new_claims_array_count + 1);
-				if (claims_set.claims_arrays == NULL) {
+				claims_set->claims_arrays = talloc_realloc(claims_set,
+									       claims_set->claims_arrays,
+									       struct CLAIMS_ARRAY,
+									       new_claims_array_count + 1);
+				if (claims_set->claims_arrays == NULL) {
 					talloc_free(tmp_ctx);
 					return ldb_oom(ldb);
 				}
 
-				ad_sourced_constructed = &claims_set.claims_arrays[new_claims_array_count++];
+				ad_sourced_constructed = &claims_set->claims_arrays[new_claims_array_count++];
 				*ad_sourced_constructed = (struct CLAIMS_ARRAY) {
 					.claims_source_type = CLAIMS_SOURCE_TYPE_AD,
 				};
 			}
 
 			ad_sourced_constructed->claim_entries = talloc_realloc(
-				tmp_ctx,
+				claims_set->claims_arrays,
 				ad_sourced_constructed->claim_entries,
 				struct CLAIM_ENTRY,
 				ad_sourced_constructed->claims_count + 1);
@@ -1220,19 +1232,19 @@ static int get_all_claims(struct ldb_context *ldb,
 				 * array(s).
 				 */
 				++ad_sourced_constructed->claims_count;
-				claims_set.claims_array_count = new_claims_array_count;
+				claims_set->claims_array_count = new_claims_array_count;
 			}
 		}
 	}
 
-	if (claims_set.claims_array_count == 0) {
+	if (claims_set->claims_array_count == 0) {
 		/* If we have no claims, we're done. */
 		talloc_free(tmp_ctx);
 		return LDB_SUCCESS;
 	}
 
 	/* Encode the claims ready to go into a PAC buffer. */
-	status = encode_claims_set(mem_ctx, &claims_set, claims_blob);
+	status = encode_claims_set(mem_ctx, claims_set, claims_blob);
 	if (!NT_STATUS_IS_OK(status)) {
 		ret = LDB_ERR_OPERATIONS_ERROR;
 	}