CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure

[samba.git] / source4 / kdc / kpasswd-service.c

diff --git a/source4/kdc/kpasswd-service.c b/source4/kdc/kpasswd-service.c
index 061aedc80e57d059d052b885b35a448a12ff3d81..22e1295c11ef871f7a497f3189c9ccb33f1507a3 100644 (file)
--- a/source4/kdc/kpasswd-service.c
+++ b/source4/kdc/kpasswd-service.c
@@ -256,6 +256,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
                                      &kpasswd_dec_reply,
                                      &error_string);
        if (code != 0) {
+               ap_rep_blob = data_blob_null;
                error_code = code;
                goto reply;
        }
@@ -265,6 +266,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
                             &kpasswd_dec_reply,
                             &enc_data_blob);
        if (!NT_STATUS_IS_OK(status)) {
+               ap_rep_blob = data_blob_null;
                error_code = KRB5_KPASSWD_HARDERROR;
                error_string = talloc_asprintf(tmp_ctx,
                                               "gensec_wrap failed - %s\n",