[Pkg-samba-maint] [samba] 09/11: s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()

[Mathieu Parent]

This is an automated email from the git hooks/post-receive script.

sathieu pushed a commit to branch master
in repository samba.

commit 9317fd80142d6c56da2be90621c0150b66c18d4d
Author: Michael Saxl <mike at mwsys.mine.bz>
Date:   Sat Jun 24 13:41:48 2017 +0200

    s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()
    
    If the keytab file isn't readable, we may call
    krb5_kt_end_seq_get() with an invalid kt_cursor.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=10490
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Michael Saxl <mike at mwsys.mine.bz>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/librpc/crypto/gse_krb5.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/librpc/crypto/gse_krb5.c b/source3/librpc/crypto/gse_krb5.c
index 703d1b4..4dd39ea 100644
--- a/source3/librpc/crypto/gse_krb5.c
+++ b/source3/librpc/crypto/gse_krb5.c
@@ -437,6 +437,14 @@ static krb5_error_code fill_mem_keytab_from_system_keytab(krb5_context krbctx,
 	if (ret) {
 		DEBUG(1, (__location__ ": krb5_kt_start_seq_get failed (%s)\n",
 			  error_message(ret)));
+		/*
+		 * krb5_kt_start_seq_get() may leaves bogus data
+		 * in kt_cursor. And we want to use the all_zero()
+		 * logic below.
+		 *
+		 * See bug #10490
+		 */
+		ZERO_STRUCT(kt_cursor);
 		goto out;
 	}
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git