It's possible for ads_keytab_create_default() to pass an invalid pointer to ads_keytab_add_entry() at the following spot: 697 for (i = 0; oldEntries[i]; i++) { 698 ret |= ads_keytab_add_entry(ads, oldEntries[i]); 699 TALLOC_FREE(oldEntries[i]); 700 } The reason this happens is due to the oldEntries array being allocated (and zeroed) only enough space for the amount of existing entries found, so for example with one existing entry, oldEntries[1] would not be guaranteed to be NULL oldEntries = talloc_array(tmpctx, char *, found); memset(oldEntries, '\0', found * sizeof(char *)); (gdb) x/32 oldEntries 0x7fdcaca42630: 0xaca41f00 0x00007fdc 0x00000021 0x00000000 (gdb) p oldEntries $29 = (char **) 0x7fdcaca42630 (gdb) p oldEntries[0] $30 = 0x7fdcaca41f00 "example-princ" (gdb) p oldEntries[1] $31 = 0x21 <Address 0x21 out of bounds>
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1163383
Created attachment 10430 [details] use talloc_zero_array for keytab array
Comment on attachment 10430 [details] use talloc_zero_array for keytab array (Not that I was asked) - but LGTM (and pushed to master :-). Jeremy.
Karolin, patch is in master with 2 reviews 0de6799996955fbf8e19ace8c4b7b61f5a262cb5. Can you please push to 4.1 and 4.2 ? Thanks.
(In reply to Guenther Deschner from comment #4) Cherry-picked and pushed to autobuild-v4-[1|2]-test. Please note that the usual procedure is to add the patchsets including the bug number in the commit message to the bug report and add separate review flags, because the review is only valid for one branch. It might (and did) happen that a patch is valid for master, but wrong for e.g. v4-1-test although applying cleanly. Thanks!
Pushed to v4-2-test and v4-1-test. Closing out bug report. Thanks!