[SCM] Samba Shared Repository - branch v3-6-test updated
Karolin Seeger
kseeger at samba.org
Wed Jun 13 11:42:03 MDT 2012
The branch, v3-6-test has been updated
via 185c205 s3-librpc-crypto: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()
from 8b3b1aa We are triggering the cleanup_timeout_fn() too often, on exiting when an smbd is idle.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 185c2054fd22de0ab07a762a279a7ef0db5d802c
Author: Alexander Bokovoy <ab at samba.org>
Date: Thu Jun 7 18:24:38 2012 +0300
s3-librpc-crypto: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()
gss_get_name_attribute() can return unintialized pac_display_buffer
and later gss_release_buffer() will crash on attempting to release it.
The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087
We need to initialize variables before using gss_get_name_attribute()
Fix bug #8988 (avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()).
-----------------------------------------------------------------------
Summary of changes:
source3/librpc/crypto/gse.c | 20 ++++++++++++++++++--
1 files changed, 18 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 335dc1c..02fb0f6 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -688,8 +688,24 @@ NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob)
{
OM_uint32 gss_min, gss_maj;
- gss_buffer_desc pac_buffer;
- gss_buffer_desc pac_display_buffer;
+/*
+ * gss_get_name_attribute() in MIT krb5 1.10.0 can return unintialized pac_display_buffer
+ * and later gss_release_buffer() will crash on attempting to release it.
+ *
+ * So always initialize the buffer descriptors.
+ *
+ * See following links for more details:
+ * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
+ * http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087
+ */
+ gss_buffer_desc pac_buffer = {
+ .value = NULL,
+ .length = 0
+ };
+ gss_buffer_desc pac_display_buffer = {
+ .value = NULL,
+ .length = 0
+ };
gss_buffer_desc pac_name = {
.value = discard_const_p(char, "urn:mspac:"),
.length = sizeof("urn:mspac:") - 1
--
Samba Shared Repository
More information about the samba-cvs
mailing list