From 744ed53a62037a659133ccd4de2065491208ae7d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 9 Feb 2012 16:07:12 +0100 Subject: gensec: Fix a memory corruption in gensec_use_kerberos_mechs Without this I get the following valgrind error: ==27740== Invalid write of size 8 ==27740== at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112) ==27740== by 0x62C623: gensec_security_mechs (gensec_start.c:141) ==27740== by 0x62C777: gensec_security_by_oid (gensec_start.c:181) ==27740== by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735) ==27740== by 0x50D6FD: negprot_spnego (negprot.c:210) ==27740== by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209) ==27740== by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417) ==27740== by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643) ==27740== by 0x585C00: process_smb (process.c:1641) ==27740== by 0x587F78: smbd_server_connection_read_handler (process.c:2314) ==27740== by 0x587FD6: smbd_server_connection_handler (process.c:2331) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x584AFF: smbd_server_connection_loop_once (process.c:984) ==27740== by 0x58B2D9: smbd_process (process.c:3389) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) ==27740== Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd ==27740== at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27740== by 0x6926965: __talloc (talloc.c:560) ==27740== by 0x6926771: talloc_pool (talloc.c:598) ==27740== by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145) ==27740== by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171) ==27740== by 0x58B2B7: smbd_process (process.c:3385) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) In the for-loop we can increment j twice, so we need twice as many output array elements as input array elements. Autobuild-User: Volker Lendecke Autobuild-Date: Thu Feb 9 19:44:47 CET 2012 on sn-devel-104 --- auth/gensec/gensec_start.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'auth/gensec') diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index 08b2fb68cb..ab092a7bb1 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -75,7 +75,8 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ /* noop */ } - new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1); + new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, + num_mechs_in*2 + 1); if (!new_gensec_list) { return NULL; } -- cgit