Sigh. We've had this bug before (it isn't a security hole btw.). at the SNIA plugfest Codenomicon showed a bad OID sent in a NegTokenInit can cause asn1_read_OID() to fail to read an OID string without setting asn1->has_error in the data ASN.1 structure. The OID array in the function definition : bool spnego_parse_negTokenInit(TALLOC_CTX *ctx, DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], char **principal, DATA_BLOB *secblob) is a BAD interface. And we should always set OIDs[0...ASN1_MAX_OIDS-1] = NULL before attempting to do any parsing, in the same way we set *principal = NULL and *secblob = data_blob_null. Patches to follow. More when I have coordinated with Codenomicon to get a packet trace of the exact packet that caused the problem. Jeremy.
Created attachment 7943 [details] Patch for all releases. As previously mentioned, this isn't the completely correct patch but will fix this generic uninitialized free error once and for all, and once I have the packet trace from Codenomicon I will fix the underlying issue. This patch applies to all released versions - 4.0.0rc, 3.6.next and 3.5.next. Jeremy.
Re-assigning to Karolin for inclusion in: 3.5.next 3.6.next 4.0.0rc.next.
Created attachment 7955 [details] Wireshark capture Packet number 9 is the offending one.
(In reply to comment #2) > Re-assigning to Karolin for inclusion in: > > 3.5.next > 3.6.next > 4.0.0rc.next. Pushed to autobuild-v4-0-test, v3-6-test and v3-5-test. Re-assigning to Jeremy.
(In reply to Karolin Seeger from comment #4) Karolin assigned to me instead of Jeremy... What's left to do here?
(In reply to Stefan (metze) Metzmacher from comment #5) Jeremy, can we close this?
Yes, the complete fix went in (reviewed by Ronnie) some time ago.