Bug 11959 - Failure path in ads_keytab_create_default() can crash when krb5_context == NULL.
Summary: Failure path in ads_keytab_create_default() can crash when krb5_context == NULL.
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-08 22:01 UTC by Jeremy Allison
Modified: 2016-06-16 09:09 UTC (History)
1 user (show)

See Also:

Attachments
git-am fix for master. Submitted to samba-technical. (1.36 KB, patch)
2016-06-08 22:01 UTC, Jeremy Allison 		no flags Details
git-am fix for 4.4.next, 4.3.next, 4.2.next (1.64 KB, patch)
2016-06-09 18:33 UTC, Jeremy Allison 		uri: review+
Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-06-08 22:01:42 UTC 
Created attachment 12168 [details]
git-am fix for master. Submitted to samba-technical.

Backtrace from a user:

Program received signal SIGSEGV, Segmentation fault.
free_PrincipalName (data=data@entry=0x45) at default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c:961
961     default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c: No such file or directory.
(gdb) bt
#0  free_PrincipalName (data=data@entry=0x45) at default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c:961
#1  0x00007fffef9d4639 in free_Principal (data=data@entry=0x45) at default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c:1123
#2  0x00007ffff7991fb1 in krb5_free_principal (context=context@entry=0x0, p=0x45) at ../source4/heimdal/lib/krb5/principal.c:84
#3  0x00007ffff79856c4 in krb5_kt_free_entry (context=0x0, entry=entry@entry=0x7fffffffdb70) at ../source4/heimdal/lib/krb5/keytab.c:7
+09
#4  0x00007ffff3cc08e5 in smb_krb5_kt_free_entry (context=<optimized out>, kt_entry=kt_entry@entry=0x7fffffffdb70) at ../lib/krb5_wrap
+/krb5_samba.c:1247
#5  0x00007ffff6384c6d in ads_keytab_create_default (ads=<optimized out>) at ../source3/libads/kerberos_keytab.c:750
#6  0x0000555555596190 in net_ads_keytab_create (c=0x55555584e5b0, argc=<optimized out>, argv=<optimized out>) at ../source3/utils/net
+_ads.c:2507
#7  0x00005555555921d9 in net_ads_keytab (c=0x55555584e5b0, argc=1, argv=0x55555584ecd8) at ../source3/utils/net_ads.c:2576
#8  0x0000555555598ea4 in net_ads (c=<optimized out>, argc=<optimized out>, argv=<optimized out>) at ../source3/utils/net_ads.c:3329
#9  0x000055555557885a in main (argc=5, argv=0x7fffffffebb8) at ../source3/utils/net.c:961


> Hi All,
>
> Whe tryin to use: net ads keytab create, I get the following segfault:
Comment 1 Jeremy Allison 2016-06-08 22:11:00 UTC 
Hmmm. Probably only 4.2.x is vulnerable to this as 4.3.x and above initialize krb5_kt_cursor cursor = {0}; and krb5_keytab_entry kt_entry = {0};.

Still, it's very untidy error cleanup.
Comment 2 Andrew Bartlett 2016-06-08 22:49:59 UTC 
We need this all the way back to 4.2 for Debian, where this has been seen by upgrading users after the backlock release.
Comment 3 Jeremy Allison 2016-06-08 22:53:52 UTC 
Well the patch applies cleanly to master, 4.4.x, 4.3.x, 4.2.x so once it's +1'ed and in master I'll cherry-pick for the back-port.
Comment 4 Jeremy Allison 2016-06-09 18:33:57 UTC 
Created attachment 12173 [details]
git-am fix for 4.4.next, 4.3.next, 4.2.next

Cherry-pick from master. Applies cleanly to 4.4.next, 4.3.next, 4.2.next.
Comment 5 Uri Simchoni 2016-06-09 18:43:56 UTC 
Assigning to Karolin for inclusion in 4.2.next, 4.3.next, 4.4.next.
Comment 6 Karolin Seeger 2016-06-15 09:36:20 UTC 
(In reply to Uri Simchoni from comment #5)
Pushed to autobuild-v4-[4|3|2]-test.
Comment 7 Karolin Seeger 2016-06-16 09:09:46 UTC 
(In reply to Karolin Seeger from comment #6)
Pushed to all branches.
Closing out bug report.

Thanks!