Bug 11959 - Failure path in ads_keytab_create_default() can crash when krb5_context == NULL.
Summary: Failure path in ads_keytab_create_default() can crash when krb5_context == NULL.
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-08 22:01 UTC by Jeremy Allison
Modified: 2016-06-16 09:09 UTC (History)
1 user (show)

See Also:


Attachments
git-am fix for master. Submitted to samba-technical. (1.36 KB, patch)
2016-06-08 22:01 UTC, Jeremy Allison
no flags Details
git-am fix for 4.4.next, 4.3.next, 4.2.next (1.64 KB, patch)
2016-06-09 18:33 UTC, Jeremy Allison
uri: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-06-08 22:01:42 UTC
Created attachment 12168 [details]
git-am fix for master. Submitted to samba-technical.

Backtrace from a user:

Program received signal SIGSEGV, Segmentation fault.
free_PrincipalName (data=data@entry=0x45) at default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c:961
961     default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c: No such file or directory.
(gdb) bt
#0  free_PrincipalName (data=data@entry=0x45) at default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c:961
#1  0x00007fffef9d4639 in free_Principal (data=data@entry=0x45) at default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c:1123
#2  0x00007ffff7991fb1 in krb5_free_principal (context=context@entry=0x0, p=0x45) at ../source4/heimdal/lib/krb5/principal.c:84
#3  0x00007ffff79856c4 in krb5_kt_free_entry (context=0x0, entry=entry@entry=0x7fffffffdb70) at ../source4/heimdal/lib/krb5/keytab.c:7
+09
#4  0x00007ffff3cc08e5 in smb_krb5_kt_free_entry (context=<optimized out>, kt_entry=kt_entry@entry=0x7fffffffdb70) at ../lib/krb5_wrap
+/krb5_samba.c:1247
#5  0x00007ffff6384c6d in ads_keytab_create_default (ads=<optimized out>) at ../source3/libads/kerberos_keytab.c:750
#6  0x0000555555596190 in net_ads_keytab_create (c=0x55555584e5b0, argc=<optimized out>, argv=<optimized out>) at ../source3/utils/net
+_ads.c:2507
#7  0x00005555555921d9 in net_ads_keytab (c=0x55555584e5b0, argc=1, argv=0x55555584ecd8) at ../source3/utils/net_ads.c:2576
#8  0x0000555555598ea4 in net_ads (c=<optimized out>, argc=<optimized out>, argv=<optimized out>) at ../source3/utils/net_ads.c:3329
#9  0x000055555557885a in main (argc=5, argv=0x7fffffffebb8) at ../source3/utils/net.c:961


> Hi All,
>
> Whe tryin to use: net ads keytab create, I get the following segfault:
Comment 1 Jeremy Allison 2016-06-08 22:11:00 UTC
Hmmm. Probably only 4.2.x is vulnerable to this as 4.3.x and above initialize krb5_kt_cursor cursor = {0}; and krb5_keytab_entry kt_entry = {0};.

Still, it's very untidy error cleanup.
Comment 2 Andrew Bartlett 2016-06-08 22:49:59 UTC
We need this all the way back to 4.2 for Debian, where this has been seen by upgrading users after the backlock release.
Comment 3 Jeremy Allison 2016-06-08 22:53:52 UTC
Well the patch applies cleanly to master, 4.4.x, 4.3.x, 4.2.x so once it's +1'ed and in master I'll cherry-pick for the back-port.
Comment 4 Jeremy Allison 2016-06-09 18:33:57 UTC
Created attachment 12173 [details]
git-am fix for 4.4.next, 4.3.next, 4.2.next

Cherry-pick from master. Applies cleanly to 4.4.next, 4.3.next, 4.2.next.
Comment 5 Uri Simchoni 2016-06-09 18:43:56 UTC
Assigning to Karolin for inclusion in 4.2.next, 4.3.next, 4.4.next.
Comment 6 Karolin Seeger 2016-06-15 09:36:20 UTC
(In reply to Uri Simchoni from comment #5)
Pushed to autobuild-v4-[4|3|2]-test.
Comment 7 Karolin Seeger 2016-06-16 09:09:46 UTC
(In reply to Karolin Seeger from comment #6)
Pushed to all branches.
Closing out bug report.

Thanks!