From: Alexander Bokovoy <ab@samba.org>
Date: Wed, 6 Jun 2012 13:52:18 +0000 (+0300)
Subject: auth-kerberos: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()
X-Git-Tag: tevent-0.9.16~35
X-Git-Url: http://git.samba.org/samba.git/?a=commitdiff_plain;h=238d24af4ed1457b684b6e497d1ca134f9ea567d;p=kai%2Fsamba-autobuild%2F.git

auth-kerberos: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()

gss_get_name_attribute() can return unintialized pac_display_buffer
and later gss_release_buffer() will crash on attempting to release it.

The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087

We need to initialize variables before using gss_get_name_attribute()

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Jun  6 18:22:51 CEST 2012 on sn-devel-104
---

diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index dadae1afa26..a17405211d0 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -80,8 +80,24 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 	NTSTATUS status;
 	OM_uint32 gss_maj, gss_min;
 #ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
-	gss_buffer_desc pac_buffer;
-	gss_buffer_desc pac_display_buffer;
+/*
+ * gss_get_name_attribute() in MIT krb5 1.10.0 can return unintialized pac_display_buffer
+ * and later gss_release_buffer() will crash on attempting to release it.
+ *
+ * So always initialize the buffer descriptors.
+ *
+ * See following links for more details:
+ * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
+ * http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087
+ */
+	gss_buffer_desc pac_buffer = {
+		.value = NULL,
+		.length = 0
+	};
+	gss_buffer_desc pac_display_buffer = {
+		.value = NULL,
+		.length = 0
+	};
 	gss_buffer_desc pac_name = {
 		.value = discard_const("urn:mspac:"),
 		.length = sizeof("urn:mspac:")-1