gensec: Fix a memory corruption in gensec_use_kerberos_mechs

Andrew Bartlett abartlet at samba.org
Thu Feb 9 19:25:31 MST 2012


On Thu, 2012-02-09 at 19:45 +0100, Volker Lendecke wrote:
> The branch, master has been updated
>        via  744ed53 gensec: Fix a memory corruption in gensec_use_kerberos_mechs
>       from  5ec1273 s3-printing: Add new printers to registry.
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> 
> 
> - Log -----------------------------------------------------------------
> commit 744ed53a62037a659133ccd4de2065491208ae7d
> Author: Volker Lendecke <vl at samba.org>
> Date:   Thu Feb 9 16:07:12 2012 +0100
> 
>     gensec: Fix a memory corruption in gensec_use_kerberos_mechs
>     
>     Without this I get the following valgrind error:
>     
>     ==27740== Invalid write of size 8
>     ==27740==    at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112)
>     ==27740==    by 0x62C623: gensec_security_mechs (gensec_start.c:141)
>     ==27740==    by 0x62C777: gensec_security_by_oid (gensec_start.c:181)
>     ==27740==    by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735)

>     In the for-loop we can increment j twice, so we need twice as many output array
>     elements as input array elements.

Thanks for finding this!  

In this case it wasn't intentional that there ever be more output
mechanisms than were input to the filter, so I would like to propose an
alternate approach. 

I've attached a proposed patch, but unfortunately (and oddly) I've been
unable to reproduce the original issue under valgrind.  Can you
double-check it for me?

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Revert-gensec-Fix-a-memory-corruption-in-gensec_use_.patch
Type: text/x-patch
Size: 1066 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120210/7f3f4b3e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-gensec-set-flag-to-continue-in-outer-for-loop-in-gen.patch
Type: text/x-patch
Size: 1398 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120210/7f3f4b3e/attachment-0001.bin>


More information about the samba-technical mailing list