From b48944c64a7300fa855c2d10e150bfdc40f76d0e Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 17 Mar 2023 09:25:52 +1300
Subject: [PATCH 1/2] s4:kdc: Don't pass a NULL pointer into
 krb5_pac_add_buffer()

Heimdal contains an assertion that the data pointer is not NULL. We need
to pass in a pointer to some dummy data instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 47ef49fd91f050ce4a79a8471b3e66c808f48752)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15476
---
 source4/kdc/pac-glue.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index f844b08d5139..621999faa293 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1793,6 +1793,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 		DATA_BLOB type_blob = data_blob_null;
 		uint32_t type;
 
+		static char null_byte = '\0';
+		const krb5_data null_data = smb_krb5_make_data(&null_byte, 0);
+
 		if (forced_next_type != 0) {
 			/*
 			 * We need to inject possible missing types
@@ -1952,10 +1955,14 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 			}
 		}
 
+		/*
+		 * Passing a NULL pointer into krb5_pac_add_buffer() is
+		 * not allowed, so pass null_data instead if needed.
+		 */
 		code = krb5_pac_add_buffer(context,
 					   new_pac,
 					   type,
-					   &type_data);
+					   (type_data.data != NULL) ? &type_data : &null_data);
 		smb_krb5_free_data_contents(context, &type_data);
 		if (code != 0) {
 			goto done;
-- 
2.34.1


From c6ce8a36eb0d984767dea928427570112a4ab82e Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 17 Mar 2023 09:16:17 +1300
Subject: [PATCH 2/2] s4:kdc: Avoid copying data if not needed

krb5_pac_add_buffer() makes its own copy of the data we pass in. We
don't need to make yet another copy.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa901e7346d36ae64a7ceab5dcf76bc210a67c93)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15476
---
 source4/kdc/pac-glue.c | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 621999faa293..b792fbbf5aa2 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1939,12 +1939,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 		}
 
 		if (type_blob.length != 0) {
-			code = smb_krb5_copy_data_contents(&type_data,
-							   type_blob.data,
-							   type_blob.length);
-			if (code != 0) {
-				goto done;
-			}
+			type_data = smb_krb5_data_from_blob(type_blob);
+			code = krb5_pac_add_buffer(context, new_pac,
+						   type, &type_data);
 		} else {
 			code = krb5_pac_get_buffer(context,
 						   old_pac,
@@ -1953,17 +1950,17 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 			if (code != 0) {
 				goto done;
 			}
+			/*
+			 * Passing a NULL pointer into krb5_pac_add_buffer() is
+			 * not allowed, so pass null_data instead if needed.
+			 */
+			code = krb5_pac_add_buffer(context,
+						   new_pac,
+						   type,
+						   (type_data.data != NULL) ? &type_data : &null_data);
+			smb_krb5_free_data_contents(context, &type_data);
 		}
 
-		/*
-		 * Passing a NULL pointer into krb5_pac_add_buffer() is
-		 * not allowed, so pass null_data instead if needed.
-		 */
-		code = krb5_pac_add_buffer(context,
-					   new_pac,
-					   type,
-					   (type_data.data != NULL) ? &type_data : &null_data);
-		smb_krb5_free_data_contents(context, &type_data);
 		if (code != 0) {
 			goto done;
 		}
-- 
2.34.1