[SCM] Samba Shared Repository - branch master updated

Simo Sorce Fri, 12 Feb 2010 13:39:55 -0800

The branch, master has been updated
       via  30797ce... s4:kdc Fill in created_by principal field
       via  2e2b7e8... s4:kdc Fix double free and uninitialized memory.
      from  89621d8... testprogs: print all printerinfo levels in spoolss test.


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 30797cec7d826a75e6e458829fc3b2203d841ba3
Author: Simo Sorce <[email protected]>
Date:   Fri Feb 12 16:24:22 2010 -0500

    s4:kdc Fill in created_by principal field

commit 2e2b7e82592dc5dbb818b621cafafdab05796a12
Author: Simo Sorce <[email protected]>
Date:   Fri Feb 12 14:54:18 2010 -0500

    s4:kdc Fix double free and uninitialized memory.
    
    In samba_kdc_trust_message2entry() on error, hdb_free_entry()
    may end up trying to access uninitialized memory or double
    free the hdb_entry.

-----------------------------------------------------------------------

Summary of changes:
 source4/kdc/db-glue.c |   26 ++++++++++++++++++++------
 1 files changed, 20 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index c434ccb..4fc94f8 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -180,6 +180,13 @@ static int samba_kdc_entry_destructor(struct 
samba_kdc_entry *p)
 
 static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
 {
+       /* this function is called only from hdb_free_entry().
+        * Make sure we neutralize the destructor or we will
+        * get a double free later when hdb_free_entry() will
+        * try to call free_hdb_entry() */
+       talloc_set_destructor(entry_ex->ctx, NULL);
+
+       /* now proceed to free the talloc part */
        talloc_free(entry_ex->ctx);
 }
 
@@ -542,6 +549,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context 
context,
 
        talloc_set_destructor(p, samba_kdc_entry_destructor);
 
+       /* make sure we do not have bogus data in there */
+       memset(&entry_ex->entry, 0, sizeof(hdb_entry));
+
        entry_ex->ctx = p;
        entry_ex->free_entry = samba_kdc_free_entry;
 
@@ -741,7 +751,7 @@ static krb5_error_code 
samba_kdc_trust_message2entry(krb5_context context,
 {
        struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
        const char *dnsdomain;
-       char *realm;
+       char *realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
        DATA_BLOB password_utf16;
        struct samr_Password password_hash;
        const struct ldb_val *password_val;
@@ -763,24 +773,30 @@ static krb5_error_code 
samba_kdc_trust_message2entry(krb5_context context,
 
        talloc_set_destructor(p, samba_kdc_entry_destructor);
 
+       /* make sure we do not have bogus data in there */
+       memset(&entry_ex->entry, 0, sizeof(hdb_entry));
+
        entry_ex->ctx = p;
        entry_ex->free_entry = samba_kdc_free_entry;
 
        /* use 'whenCreated' */
        entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, 
"whenCreated", 0);
-       /* use '???' */
-       entry_ex->entry.created_by.principal = NULL;
+       /* use 'kadmin' for now (needed by mit_samba) */
+       krb5_make_principal(context,
+                           &entry_ex->entry.created_by.principal,
+                           realm, "kadmin", NULL);
 
        entry_ex->entry.valid_start = NULL;
 
        trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 
0);
 
        if (direction == INBOUND) {
-               realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
                password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
 
        } else { /* OUTBOUND */
                dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", 
NULL);
+               /* replace realm */
+               talloc_free(realm);
                realm = strupper_talloc(mem_ctx, dnsdomain);
                password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
        }
@@ -821,8 +837,6 @@ static krb5_error_code 
samba_kdc_trust_message2entry(krb5_context context,
                        break;
                }
        }
-       entry_ex->entry.keys.len = 0;
-       entry_ex->entry.keys.val = NULL;
 
        if (i < password_blob.count) {
                Key key;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to