From 6d10d41ef71f5b0d09a1b3c45d1d91d81a367c63 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 7 Jun 2012 18:24:38 +0300 Subject: [PATCH] s3-librpc-crypto: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute() gss_get_name_attribute() can return unintialized pac_display_buffer and later gss_release_buffer() will crash on attempting to release it. The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514 http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087 We need to initialize variables before using gss_get_name_attribute() --- source3/librpc/crypto/gse.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 335dc1c..02fb0f6 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -688,8 +688,24 @@ NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob) { OM_uint32 gss_min, gss_maj; - gss_buffer_desc pac_buffer; - gss_buffer_desc pac_display_buffer; +/* + * gss_get_name_attribute() in MIT krb5 1.10.0 can return unintialized pac_display_buffer + * and later gss_release_buffer() will crash on attempting to release it. + * + * So always initialize the buffer descriptors. + * + * See following links for more details: + * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514 + * http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087 + */ + gss_buffer_desc pac_buffer = { + .value = NULL, + .length = 0 + }; + gss_buffer_desc pac_display_buffer = { + .value = NULL, + .length = 0 + }; gss_buffer_desc pac_name = { .value = discard_const_p(char, "urn:mspac:"), .length = sizeof("urn:mspac:") - 1 -- 1.7.10