[SCM] Samba Shared Repository - branch master updated
Simo Sorce
idra at samba.org
Fri Feb 12 14:40:14 MST 2010
The branch, master has been updated
via 30797ce... s4:kdc Fill in created_by principal field
via 2e2b7e8... s4:kdc Fix double free and uninitialized memory.
from 89621d8... testprogs: print all printerinfo levels in spoolss test.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 30797cec7d826a75e6e458829fc3b2203d841ba3
Author: Simo Sorce <idra at samba.org>
Date: Fri Feb 12 16:24:22 2010 -0500
s4:kdc Fill in created_by principal field
commit 2e2b7e82592dc5dbb818b621cafafdab05796a12
Author: Simo Sorce <idra at samba.org>
Date: Fri Feb 12 14:54:18 2010 -0500
s4:kdc Fix double free and uninitialized memory.
In samba_kdc_trust_message2entry() on error, hdb_free_entry()
may end up trying to access uninitialized memory or double
free the hdb_entry.
-----------------------------------------------------------------------
Summary of changes:
source4/kdc/db-glue.c | 26 ++++++++++++++++++++------
1 files changed, 20 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index c434ccb..4fc94f8 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -180,6 +180,13 @@ static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
{
+ /* this function is called only from hdb_free_entry().
+ * Make sure we neutralize the destructor or we will
+ * get a double free later when hdb_free_entry() will
+ * try to call free_hdb_entry() */
+ talloc_set_destructor(entry_ex->ctx, NULL);
+
+ /* now proceed to free the talloc part */
talloc_free(entry_ex->ctx);
}
@@ -542,6 +549,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
talloc_set_destructor(p, samba_kdc_entry_destructor);
+ /* make sure we do not have bogus data in there */
+ memset(&entry_ex->entry, 0, sizeof(hdb_entry));
+
entry_ex->ctx = p;
entry_ex->free_entry = samba_kdc_free_entry;
@@ -741,7 +751,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
const char *dnsdomain;
- char *realm;
+ char *realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
DATA_BLOB password_utf16;
struct samr_Password password_hash;
const struct ldb_val *password_val;
@@ -763,24 +773,30 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
talloc_set_destructor(p, samba_kdc_entry_destructor);
+ /* make sure we do not have bogus data in there */
+ memset(&entry_ex->entry, 0, sizeof(hdb_entry));
+
entry_ex->ctx = p;
entry_ex->free_entry = samba_kdc_free_entry;
/* use 'whenCreated' */
entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
- /* use '???' */
- entry_ex->entry.created_by.principal = NULL;
+ /* use 'kadmin' for now (needed by mit_samba) */
+ krb5_make_principal(context,
+ &entry_ex->entry.created_by.principal,
+ realm, "kadmin", NULL);
entry_ex->entry.valid_start = NULL;
trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
if (direction == INBOUND) {
- realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
} else { /* OUTBOUND */
dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
+ /* replace realm */
+ talloc_free(realm);
realm = strupper_talloc(mem_ctx, dnsdomain);
password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
}
@@ -821,8 +837,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
break;
}
}
- entry_ex->entry.keys.len = 0;
- entry_ex->entry.keys.val = NULL;
if (i < password_blob.count) {
Key key;
--
Samba Shared Repository
More information about the samba-cvs
mailing list