Bug 8988 - avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()
Summary: avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute()
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-07 15:28 UTC by Alexander Bokovoy
Modified: 2012-06-13 17:44 UTC (History)
0 users

See Also:

Attachments
proposed fix based on the fix in master (1.82 KB, patch)
2012-06-07 15:30 UTC, Alexander Bokovoy 		gd: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bokovoy 2012-06-07 15:28:55 UTC 
gss_get_name_attribute() can return unintialized pac_display_buffer and later gss_release_buffer() will crash on attempting to release it.

The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087

We need to initialize variables before using gss_get_name_attribute()

Patch for 3.6 is attached. The problem was introduced with commit 1bb6b841 and affects all 3.6 releases:
$ git tag --contains 1bb6b841
samba-3.6.0
samba-3.6.0rc1
samba-3.6.0rc2
samba-3.6.0rc3
samba-3.6.1
samba-3.6.2
samba-3.6.3
samba-3.6.4
samba-3.6.5
Comment 1 Alexander Bokovoy 2012-06-07 15:30:03 UTC 
Created attachment 7633 [details]
proposed fix based on the fix in master
Comment 2 Guenther Deschner 2012-06-07 16:20:15 UTC 
Comment on attachment 7633 [details]
proposed fix based on the fix in master

looks good
Comment 3 Guenther Deschner 2012-06-07 16:21:10 UTC 
Karolin, please add to 3.6.x.

Thanks
Comment 4 Karolin Seeger 2012-06-13 17:44:06 UTC 
Pushed to v3-6-test.
Closing out bug report.

Thanks!