summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2012-02-09 16:07:12 +0100
committerVolker Lendecke <vl@samba.org>2012-02-09 19:44:47 +0100
commit744ed53a62037a659133ccd4de2065491208ae7d (patch)
tree4954179593eac48709053c59802bd15f45538469
parent5ec12732c3092d248a374ae7af155a409c7ee88e (diff)
downloadsamba-744ed53a62037a659133ccd4de2065491208ae7d.tar.gz
samba-744ed53a62037a659133ccd4de2065491208ae7d.tar.bz2
samba-744ed53a62037a659133ccd4de2065491208ae7d.zip
gensec: Fix a memory corruption in gensec_use_kerberos_mechs
Without this I get the following valgrind error: ==27740== Invalid write of size 8 ==27740== at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112) ==27740== by 0x62C623: gensec_security_mechs (gensec_start.c:141) ==27740== by 0x62C777: gensec_security_by_oid (gensec_start.c:181) ==27740== by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735) ==27740== by 0x50D6FD: negprot_spnego (negprot.c:210) ==27740== by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209) ==27740== by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417) ==27740== by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643) ==27740== by 0x585C00: process_smb (process.c:1641) ==27740== by 0x587F78: smbd_server_connection_read_handler (process.c:2314) ==27740== by 0x587FD6: smbd_server_connection_handler (process.c:2331) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x584AFF: smbd_server_connection_loop_once (process.c:984) ==27740== by 0x58B2D9: smbd_process (process.c:3389) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) ==27740== Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd ==27740== at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27740== by 0x6926965: __talloc (talloc.c:560) ==27740== by 0x6926771: talloc_pool (talloc.c:598) ==27740== by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145) ==27740== by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171) ==27740== by 0x58B2B7: smbd_process (process.c:3385) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) In the for-loop we can increment j twice, so we need twice as many output array elements as input array elements. Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Thu Feb 9 19:44:47 CET 2012 on sn-devel-104
-rw-r--r--auth/gensec/gensec_start.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 08b2fb68cb..ab092a7bb1 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -75,7 +75,8 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
/* noop */
}
- new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
+ new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *,
+ num_mechs_in*2 + 1);
if (!new_gensec_list) {
return NULL;
}