The Samba-Bugzilla – Bug 9213
Bad ASN.1 NegTokenInit packet can cause invalid free.
Last modified: 2015-07-31 15:51:19 UTC
Sigh. We've had this bug before (it isn't a security hole btw.). at the SNIA plugfest Codenomicon showed a bad OID sent in a NegTokenInit can cause asn1_read_OID() to fail to read an OID string without setting asn1->has_error in the data ASN.1 structure.
The OID array in the function definition :
bool spnego_parse_negTokenInit(TALLOC_CTX *ctx,
is a BAD interface. And we should always set OIDs[0...ASN1_MAX_OIDS-1] = NULL
before attempting to do any parsing, in the same way we set *principal = NULL and *secblob = data_blob_null.
Patches to follow. More when I have coordinated with Codenomicon to get a packet trace of the exact packet that caused the problem.
Created attachment 7943 [details]
Patch for all releases.
As previously mentioned, this isn't the completely correct patch but will fix this generic uninitialized free error once and for all, and once I have the packet trace from Codenomicon I will fix the underlying issue.
This patch applies to all released versions - 4.0.0rc, 3.6.next and 3.5.next.
Re-assigning to Karolin for inclusion in:
Created attachment 7955 [details]
Packet number 9 is the offending one.
(In reply to comment #2)
> Re-assigning to Karolin for inclusion in:
Pushed to autobuild-v4-0-test, v3-6-test and v3-5-test.
Re-assigning to Jeremy.
(In reply to Karolin Seeger from comment #4)
Karolin assigned to me instead of Jeremy...
What's left to do here?
(In reply to Stefan (metze) Metzmacher from comment #5)
Jeremy, can we close this?
Yes, the complete fix went in (reviewed by Ronnie) some time ago.