In sudo_netgroup_lookup() only build up the search filter once

instead of once per netgroup_base.

plugins/sudoers/ldap.c

@@ -1392,11 +1392,7 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
     /* Use NIS domain if set, else wildcard match. */
     domain = sudo_getdomainname();
 
-    STAILQ_FOREACH(base, &ldap_conf.netgroup_base, entries) {
-	DPRINTF1("searching from netgroup_base '%s'", base->val);
-
     /* Build query, using NIS domain if it is set. */
-	/* XXX - move outside foreach */
     if (domain != NULL) {
 	filt_len = sizeof("(nisNetgroupTriple=\\28,,\\29)") - 1 +
 	    sudo_ldap_value_len(pw->pw_name);
@@ -1476,12 +1472,12 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
 	}
 	CHECK_STRLCAT(filt, ",*\\29)))", filt_len);
     }
-	/* XXX - refactor duplicated code */
     DPRINTF1("ldap netgroup search filter: '%s'", filt);
-	result = NULL;
+
+    STAILQ_FOREACH(base, &ldap_conf.netgroup_base, entries) {
+	DPRINTF1("searching from netgroup_base '%s'", base->val);
 	rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
 	    NULL, 0, NULL, NULL, tvp, 0, &result);
-	free(filt);
 	if (rc != LDAP_SUCCESS) {
 	    DPRINTF1("ldap netgroup search failed: %s", ldap_err2string(rc));
 	    ldap_msgfree(result);
@@ -1516,6 +1512,7 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
 	    }
 	}
 	ldap_msgfree(result);
+	result = NULL;
 
 	/* Check for nested netgroups in what we added. */
 	ng = old_tail ? STAILQ_NEXT(old_tail, entries) : STAILQ_FIRST(netgroups);
@@ -1524,9 +1521,11 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
 		debug_return_bool(false);
 	}
     }
+    free(filt);
     debug_return_bool(true);
 oom:
     sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+    free(filt);
     ldap_msgfree(result);
     debug_return_bool(false);
 overflow: