summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bokovoy <ab@samba.org>2012-06-06 16:52:18 +0300
committerAlexander Bokovoy <ab@samba.org>2012-06-06 18:22:51 +0200
commit238d24af4ed1457b684b6e497d1ca134f9ea567d (patch)
tree5bc0b9da9babe0e902dd40df65ffe2384dbd0ccd
parentf3df2988ba6928cde0bd89da321bbe74fd76f53f (diff)
downloadsamba-238d24af4ed1457b684b6e497d1ca134f9ea567d.tar.gz
samba-238d24af4ed1457b684b6e497d1ca134f9ea567d.tar.bz2
samba-238d24af4ed1457b684b6e497d1ca134f9ea567d.zip
auth-kerberos: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()
gss_get_name_attribute() can return unintialized pac_display_buffer and later gss_release_buffer() will crash on attempting to release it. The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514 http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087 We need to initialize variables before using gss_get_name_attribute() Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Jun 6 18:22:51 CEST 2012 on sn-devel-104
-rw-r--r--auth/kerberos/gssapi_pac.c20
1 files changed, 18 insertions, 2 deletions
diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index dadae1afa2..a17405211d 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -80,8 +80,24 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
NTSTATUS status;
OM_uint32 gss_maj, gss_min;
#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
- gss_buffer_desc pac_buffer;
- gss_buffer_desc pac_display_buffer;
+/*
+ * gss_get_name_attribute() in MIT krb5 1.10.0 can return unintialized pac_display_buffer
+ * and later gss_release_buffer() will crash on attempting to release it.
+ *
+ * So always initialize the buffer descriptors.
+ *
+ * See following links for more details:
+ * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
+ * http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087
+ */
+ gss_buffer_desc pac_buffer = {
+ .value = NULL,
+ .length = 0
+ };
+ gss_buffer_desc pac_display_buffer = {
+ .value = NULL,
+ .length = 0
+ };
gss_buffer_desc pac_name = {
.value = discard_const("urn:mspac:"),
.length = sizeof("urn:mspac:")-1