From e5d53c68d9bdc18067e98c2f7ef47a7441602a66 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Tue, 14 Apr 2020 11:21:22 +0100
Subject: [PATCH] s3/librpc/crypto: Fix double free with unresolved credential
 cache

We free gse_ctx->k5ctx but then free it again in the
talloc dtor. This patch just lets the talloc dtor handle
things and removes the extra krb5_free_context

Failed to resolve credential cache 'DIR:/run/user/1000/krb5cc'! (No credentials cache found)
==30762== Invalid read of size 8
==30762==    at 0x108100F4: k5_os_free_context (in /usr/lib64/libkrb5.so.3.3)
==30762==    by 0x107EA661: krb5_free_context (in /usr/lib64/libkrb5.so.3.3)
==30762==    by 0x7945D2E: gse_context_destructor (gse.c:84)
==30762==    by 0x645FB49: _tc_free_internal (talloc.c:1157)
==30762==    by 0x645FEC5: _talloc_free_internal (talloc.c:1247)
==30762==    by 0x646118D: _talloc_free (talloc.c:1789)
==30762==    by 0x79462E4: gse_context_init (gse.c:241)
==30762==    by 0x794636E: gse_init_client (gse.c:268)
==30762==    by 0x7947602: gensec_gse_client_start (gse.c:786)
==30762==    by 0xBC87A3A: gensec_start_mech (gensec_start.c:743)
==30762==    by 0xBC87BC6: gensec_start_mech_by_ops (gensec_start.c:774)
==30762==    by 0xBC8167F: gensec_spnego_client_negTokenInit_step (spnego.c:633)
==30762==  Address 0x17259928 is 40 bytes inside a block of size 496 free'd
==30762==    at 0x4C2F50B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==30762==    by 0x79462CA: gse_context_init (gse.c:238)
==30762==    by 0x794636E: gse_init_client (gse.c:268)
==30762==    by 0x7947602: gensec_gse_client_start (gse.c:786)
==30762==    by 0xBC87A3A: gensec_start_mech (gensec_start.c:743)
==30762==    by 0xBC87BC6: gensec_start_mech_by_ops (gensec_start.c:774)
==30762==    by 0xBC8167F: gensec_spnego_client_negTokenInit_step (spnego.c:633)
==30762==    by 0xBC813E2: gensec_spnego_client_negTokenInit_start (spnego.c:537)
==30762==    by 0xBC84084: gensec_spnego_update_pre (spnego.c:1943)
==30762==    by 0xBC83AE5: gensec_spnego_update_send (spnego.c:1741)
==30762==    by 0xBC85622: gensec_update_send (gensec.c:449)
==30762==    by 0x551BFD0: cli_session_setup_gensec_local_next (cliconnect.c:997)
==30762==  Block was alloc'd at
==30762==    at 0x4C306B5: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==30762==    by 0x107EA7AE: krb5_init_context_profile (in /usr/lib64/libkrb5.so.3.3)
==30762==    by 0xB853215: smb_krb5_init_context_common (krb5_samba.c:3597)
==30762==    by 0x794615B: gse_context_init (gse.c:209)
==30762==    by 0x794636E: gse_init_client (gse.c:268)
==30762==    by 0x7947602: gensec_gse_client_start (gse.c:786)
==30762==    by 0xBC87A3A: gensec_start_mech (gensec_start.c:743)
==30762==    by 0xBC87BC6: gensec_start_mech_by_ops (gensec_start.c:774)
==30762==    by 0xBC8167F: gensec_spnego_client_negTokenInit_step (spnego.c:633)
==30762==    by 0xBC813E2: gensec_spnego_client_negTokenInit_start (spnego.c:537)
==30762==    by 0xBC84084: gensec_spnego_update_pre (spnego.c:1943)
==30762==    by 0xBC83AE5: gensec_spnego_update_send (spnego.c:1741)
==30762==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14344
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Apr 14 22:55:51 UTC 2020 on sn-devel-184

(cherry picked from commit 34f8ab774d1484b0e60dbdec8ad2a1607ad92122)
---
 source3/librpc/crypto/gse.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 9a9f4261222..47dc1a0649a 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -234,10 +234,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 
 err_out:
-	if (gse_ctx->k5ctx) {
-		krb5_free_context(gse_ctx->k5ctx);
-	}
-
 	TALLOC_FREE(gse_ctx);
 	return status;
 }
-- 
2.16.4