samba/sme10/samba-4.2.3-fix_net_ads_keytab_segfault.patch

From af7dfb4e2b288742d0f3a0b7c9f4c280f8c9738d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 4 Mar 2015 10:09:18 +0100
Subject: [PATCH 1/4] libads: Fix CID 1273306 Uninitialized scalar variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit 4a686c5b0bbcf0bdb089348403a3c35b8aff67e4)
---
 source3/libads/kerberos_keytab.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ae3d80e39..2d5c7ff 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -508,7 +508,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
        krb5_context context = NULL;
        krb5_keytab keytab = NULL;
        krb5_kt_cursor cursor;
-       krb5_keytab_entry kt_entry;
+       krb5_keytab_entry kt_entry = {0};
        krb5_kvno kvno;
        size_t found = 0;
        char *sam_account_name, *upn;
-- 
2.4.6


From c2fc9c04e670fa4f2a4ad7bb037e40bed08a554f Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 4 Mar 2015 10:09:51 +0100
Subject: [PATCH 2/4] libads: Fix CID 1273305 Uninitialized scalar variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit 706770d7a8c4625ecb555db40c146126d2c160f0)
---
 source3/libads/kerberos_keytab.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 2d5c7ff..bbd981c 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -507,7 +507,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
        krb5_error_code ret = 0;
        krb5_context context = NULL;
        krb5_keytab keytab = NULL;
-       krb5_kt_cursor cursor;
+       krb5_kt_cursor cursor = {0};
        krb5_keytab_entry kt_entry = {0};
        krb5_kvno kvno;
        size_t found = 0;
-- 
2.4.6


From dec69489dfb6ed3f60a1ed9360ceb03800fe01d1 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni@gmail.com>
Date: Sat, 2 May 2015 13:44:52 +0300
Subject: [PATCH 3/4] libads: Fix free of uninitialized pointer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

In ads_keytab_creat_default(), if the keytab to be created cannot
be opened, the bail-out code calls smb_krb5_kt_free_entry() on
an uninitialized entry.

To reproduce:
1. Join a domain
2. KRB5_KTNAME=FILE:/non-existant-path/krb5.keytab net ads keytab create -P

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit df91bc5159b24f6f10fd9742b49192921d51f821)
---
 source3/libads/kerberos_keytab.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index bbd981c..ef6374a 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -520,6 +520,9 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
        size_t i;
        ADS_STATUS status;
 
+       ZERO_STRUCT(kt_entry);
+       ZERO_STRUCT(cursor);
+
        frame = talloc_stackframe();
        if (frame == NULL) {
                ret = -1;
@@ -575,8 +578,6 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 #endif
 
        memset(princ_s, '\0', sizeof(princ_s));
-       ZERO_STRUCT(kt_entry);
-       ZERO_STRUCT(cursor);
 
        initialize_krb5_error_table();
        ret = krb5_init_context(&context);
-- 
2.4.6


From be29f73d746d2d356856eeeec7e958597e429bc0 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni@gmail.com>
Date: Sat, 2 May 2015 13:44:53 +0300
Subject: [PATCH 4/4] libads: Fix deadlock when re-joining a domain and
 updating keytab

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

When updating the system keytab as a result of joining a domain,
if the keytb had prior entries, ads_keytab_create_default tries to
update those entries. However, it starts updating before freeing the
cursor which was used for finding those entries, and hence causes
an an attempt to write-lock the keytab while a read-lock exists.

To reproduce configure smb.conf for ads domain member and run this twice:
net ads join -U <credentials> '--option=kerberos method=secrets and keytab'

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May  4 21:01:41 CEST 2015 on sn-devel-104

(cherry picked from commit 38beef2ff63664d7d5805f1032bb9f69d0b965d7)
---
 source3/libads/kerberos_keytab.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ef6374a..309e614 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -731,13 +731,14 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
                smb_krb5_kt_free_entry(context, &kt_entry);
                ZERO_STRUCT(kt_entry);
        }
+       krb5_kt_end_seq_get(context, keytab, &cursor);
+       ZERO_STRUCT(cursor);
+
        ret = 0;
        for (i = 0; oldEntries[i]; i++) {
                ret |= ads_keytab_add_entry(ads, oldEntries[i]);
                TALLOC_FREE(oldEntries[i]);
        }
-       krb5_kt_end_seq_get(context, keytab, &cursor);
-       ZERO_STRUCT(cursor);
 
 done:
        TALLOC_FREE(oldEntries);
-- 
2.4.6

1	From af7dfb4e2b288742d0f3a0b7c9f4c280f8c9738d Mon Sep 17 00:00:00 2001
2	From: Volker Lendecke <vl@samba.org>
3	Date: Wed, 4 Mar 2015 10:09:18 +0100
4	Subject: [PATCH 1/4] libads: Fix CID 1273306 Uninitialized scalar variable
5
6	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418
7
8	Signed-off-by: Volker Lendecke <vl@samba.org>
9	Reviewed-by: David Disseldorp <ddiss@samba.org>
10	(cherry picked from commit 4a686c5b0bbcf0bdb089348403a3c35b8aff67e4)
11	---
12	source3/libads/kerberos_keytab.c \| 2 +-
13	1 file changed, 1 insertion(+), 1 deletion(-)
14
15	diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
16	index ae3d80e39..2d5c7ff 100644
17	--- a/source3/libads/kerberos_keytab.c
18	+++ b/source3/libads/kerberos_keytab.c
19	@@ -508,7 +508,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
20	krb5_context context = NULL;
21	krb5_keytab keytab = NULL;
22	krb5_kt_cursor cursor;
23	- krb5_keytab_entry kt_entry;
24	+ krb5_keytab_entry kt_entry = {0};
25	krb5_kvno kvno;
26	size_t found = 0;
27	char sam_account_name, upn;
28	--
29	2.4.6
30
31
32	From c2fc9c04e670fa4f2a4ad7bb037e40bed08a554f Mon Sep 17 00:00:00 2001
33	From: Volker Lendecke <vl@samba.org>
34	Date: Wed, 4 Mar 2015 10:09:51 +0100
35	Subject: [PATCH 2/4] libads: Fix CID 1273305 Uninitialized scalar variable
36
37	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418
38
39	Signed-off-by: Volker Lendecke <vl@samba.org>
40	Reviewed-by: David Disseldorp <ddiss@samba.org>
41	(cherry picked from commit 706770d7a8c4625ecb555db40c146126d2c160f0)
42	---
43	source3/libads/kerberos_keytab.c \| 2 +-
44	1 file changed, 1 insertion(+), 1 deletion(-)
45
46	diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
47	index 2d5c7ff..bbd981c 100644
48	--- a/source3/libads/kerberos_keytab.c
49	+++ b/source3/libads/kerberos_keytab.c
50	@@ -507,7 +507,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
51	krb5_error_code ret = 0;
52	krb5_context context = NULL;
53	krb5_keytab keytab = NULL;
54	- krb5_kt_cursor cursor;
55	+ krb5_kt_cursor cursor = {0};
56	krb5_keytab_entry kt_entry = {0};
57	krb5_kvno kvno;
58	size_t found = 0;
59	--
60	2.4.6
61
62
63	From dec69489dfb6ed3f60a1ed9360ceb03800fe01d1 Mon Sep 17 00:00:00 2001
64	From: Uri Simchoni <urisimchoni@gmail.com>
65	Date: Sat, 2 May 2015 13:44:52 +0300
66	Subject: [PATCH 3/4] libads: Fix free of uninitialized pointer
67
68	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418
69
70	In ads_keytab_creat_default(), if the keytab to be created cannot
71	be opened, the bail-out code calls smb_krb5_kt_free_entry() on
72	an uninitialized entry.
73
74	To reproduce:
75	1. Join a domain
76	2. KRB5_KTNAME=FILE:/non-existant-path/krb5.keytab net ads keytab create -P
77
78	Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
79	Reviewed-by: Jeremy Allison <jra@samba.org>
80	Reviewed-by: Andreas Schneider <asn@samba.org>
81	(cherry picked from commit df91bc5159b24f6f10fd9742b49192921d51f821)
82	---
83	source3/libads/kerberos_keytab.c \| 5 +++--
84	1 file changed, 3 insertions(+), 2 deletions(-)
85
86	diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
87	index bbd981c..ef6374a 100644
88	--- a/source3/libads/kerberos_keytab.c
89	+++ b/source3/libads/kerberos_keytab.c
90	@@ -520,6 +520,9 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
91	size_t i;
92	ADS_STATUS status;
93
94	+ ZERO_STRUCT(kt_entry);
95	+ ZERO_STRUCT(cursor);
96	+
97	frame = talloc_stackframe();
98	if (frame == NULL) {
99	ret = -1;
100	@@ -575,8 +578,6 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
101	#endif
102
103	memset(princ_s, '\0', sizeof(princ_s));
104	- ZERO_STRUCT(kt_entry);
105	- ZERO_STRUCT(cursor);
106
107	initialize_krb5_error_table();
108	ret = krb5_init_context(&context);
109	--
110	2.4.6
111
112
113	From be29f73d746d2d356856eeeec7e958597e429bc0 Mon Sep 17 00:00:00 2001
114	From: Uri Simchoni <urisimchoni@gmail.com>
115	Date: Sat, 2 May 2015 13:44:53 +0300
116	Subject: [PATCH 4/4] libads: Fix deadlock when re-joining a domain and
117	updating keytab
118
119	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418
120
121	When updating the system keytab as a result of joining a domain,
122	if the keytb had prior entries, ads_keytab_create_default tries to
123	update those entries. However, it starts updating before freeing the
124	cursor which was used for finding those entries, and hence causes
125	an an attempt to write-lock the keytab while a read-lock exists.
126
127	To reproduce configure smb.conf for ads domain member and run this twice:
128	net ads join -U <credentials> '--option=kerberos method=secrets and keytab'
129
130	Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
131	Reviewed-by: Jeremy Allison <jra@samba.org>
132	Reviewed-by: Andreas Schneider <asn@samba.org>
133
134	Autobuild-User(master): Jeremy Allison <jra@samba.org>
135	Autobuild-Date(master): Mon May 4 21:01:41 CEST 2015 on sn-devel-104
136
137	(cherry picked from commit 38beef2ff63664d7d5805f1032bb9f69d0b965d7)
138	---
139	source3/libads/kerberos_keytab.c \| 5 +++--
140	1 file changed, 3 insertions(+), 2 deletions(-)
141
142	diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
143	index ef6374a..309e614 100644
144	--- a/source3/libads/kerberos_keytab.c
145	+++ b/source3/libads/kerberos_keytab.c
146	@@ -731,13 +731,14 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
147	smb_krb5_kt_free_entry(context, &kt_entry);
148	ZERO_STRUCT(kt_entry);
149	}
150	+ krb5_kt_end_seq_get(context, keytab, &cursor);
151	+ ZERO_STRUCT(cursor);
152	+
153	ret = 0;
154	for (i = 0; oldEntries[i]; i++) {
155	ret \|= ads_keytab_add_entry(ads, oldEntries[i]);
156	TALLOC_FREE(oldEntries[i]);
157	}
158	- krb5_kt_end_seq_get(context, keytab, &cursor);
159	- ZERO_STRUCT(cursor);
160
161	done:
162	TALLOC_FREE(oldEntries);
163	--
164	2.4.6
165