samba/sme10/samba-4.2.3-fix_net_ads_keytab_segfault.patch

From af7dfb4e2b288742d0f3a0b7c9f4c280f8c9738d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 4 Mar 2015 10:09:18 +0100
Subject: [PATCH 1/4] libads: Fix CID 1273306 Uninitialized scalar variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit 4a686c5b0bbcf0bdb089348403a3c35b8aff67e4)
---
 source3/libads/kerberos_keytab.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ae3d80e39..2d5c7ff 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -508,7 +508,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
        krb5_context context = NULL;
        krb5_keytab keytab = NULL;
        krb5_kt_cursor cursor;
-       krb5_keytab_entry kt_entry;
+       krb5_keytab_entry kt_entry = {0};
        krb5_kvno kvno;
        size_t found = 0;
        char *sam_account_name, *upn;
-- 
2.4.6


From c2fc9c04e670fa4f2a4ad7bb037e40bed08a554f Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 4 Mar 2015 10:09:51 +0100
Subject: [PATCH 2/4] libads: Fix CID 1273305 Uninitialized scalar variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit 706770d7a8c4625ecb555db40c146126d2c160f0)
---
 source3/libads/kerberos_keytab.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 2d5c7ff..bbd981c 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -507,7 +507,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
        krb5_error_code ret = 0;
        krb5_context context = NULL;
        krb5_keytab keytab = NULL;
-       krb5_kt_cursor cursor;
+       krb5_kt_cursor cursor = {0};
        krb5_keytab_entry kt_entry = {0};
        krb5_kvno kvno;
        size_t found = 0;
-- 
2.4.6


From dec69489dfb6ed3f60a1ed9360ceb03800fe01d1 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni@gmail.com>
Date: Sat, 2 May 2015 13:44:52 +0300
Subject: [PATCH 3/4] libads: Fix free of uninitialized pointer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

In ads_keytab_creat_default(), if the keytab to be created cannot
be opened, the bail-out code calls smb_krb5_kt_free_entry() on
an uninitialized entry.

To reproduce:
1. Join a domain
2. KRB5_KTNAME=FILE:/non-existant-path/krb5.keytab net ads keytab create -P

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit df91bc5159b24f6f10fd9742b49192921d51f821)
---
 source3/libads/kerberos_keytab.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index bbd981c..ef6374a 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -520,6 +520,9 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
        size_t i;
        ADS_STATUS status;
 
+       ZERO_STRUCT(kt_entry);
+       ZERO_STRUCT(cursor);
+
        frame = talloc_stackframe();
        if (frame == NULL) {
                ret = -1;
@@ -575,8 +578,6 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 #endif
 
        memset(princ_s, '\0', sizeof(princ_s));
-       ZERO_STRUCT(kt_entry);
-       ZERO_STRUCT(cursor);
 
        initialize_krb5_error_table();
        ret = krb5_init_context(&context);
-- 
2.4.6


From be29f73d746d2d356856eeeec7e958597e429bc0 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni@gmail.com>
Date: Sat, 2 May 2015 13:44:53 +0300
Subject: [PATCH 4/4] libads: Fix deadlock when re-joining a domain and
 updating keytab

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

When updating the system keytab as a result of joining a domain,
if the keytb had prior entries, ads_keytab_create_default tries to
update those entries. However, it starts updating before freeing the
cursor which was used for finding those entries, and hence causes
an an attempt to write-lock the keytab while a read-lock exists.

To reproduce configure smb.conf for ads domain member and run this twice:
net ads join -U <credentials> '--option=kerberos method=secrets and keytab'

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May  4 21:01:41 CEST 2015 on sn-devel-104

(cherry picked from commit 38beef2ff63664d7d5805f1032bb9f69d0b965d7)
---
 source3/libads/kerberos_keytab.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ef6374a..309e614 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -731,13 +731,14 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
                smb_krb5_kt_free_entry(context, &kt_entry);
                ZERO_STRUCT(kt_entry);
        }
+       krb5_kt_end_seq_get(context, keytab, &cursor);
+       ZERO_STRUCT(cursor);
+
        ret = 0;
        for (i = 0; oldEntries[i]; i++) {
                ret |= ads_keytab_add_entry(ads, oldEntries[i]);
                TALLOC_FREE(oldEntries[i]);
        }
-       krb5_kt_end_seq_get(context, keytab, &cursor);
-       ZERO_STRUCT(cursor);
 
 done:
        TALLOC_FREE(oldEntries);
-- 
2.4.6

1	vip-ire	1.1	From af7dfb4e2b288742d0f3a0b7c9f4c280f8c9738d Mon Sep 17 00:00:00 2001
2			From: Volker Lendecke <vl@samba.org>
3			Date: Wed, 4 Mar 2015 10:09:18 +0100
4			Subject: [PATCH 1/4] libads: Fix CID 1273306 Uninitialized scalar variable
5
6			BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418
7
8			Signed-off-by: Volker Lendecke <vl@samba.org>
9			Reviewed-by: David Disseldorp <ddiss@samba.org>
10			(cherry picked from commit 4a686c5b0bbcf0bdb089348403a3c35b8aff67e4)
11			---
12			source3/libads/kerberos_keytab.c \| 2 +-
13			1 file changed, 1 insertion(+), 1 deletion(-)
14
15			diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
16			index ae3d80e39..2d5c7ff 100644
17			--- a/source3/libads/kerberos_keytab.c
18			+++ b/source3/libads/kerberos_keytab.c
19			@@ -508,7 +508,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
20			krb5_context context = NULL;
21			krb5_keytab keytab = NULL;
22			krb5_kt_cursor cursor;
23			- krb5_keytab_entry kt_entry;
24			+ krb5_keytab_entry kt_entry = {0};
25			krb5_kvno kvno;
26			size_t found = 0;
27			char sam_account_name, upn;
28			--
29			2.4.6
30
31
32			From c2fc9c04e670fa4f2a4ad7bb037e40bed08a554f Mon Sep 17 00:00:00 2001
33			From: Volker Lendecke <vl@samba.org>
34			Date: Wed, 4 Mar 2015 10:09:51 +0100
35			Subject: [PATCH 2/4] libads: Fix CID 1273305 Uninitialized scalar variable
36
37			BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418
38
39			Signed-off-by: Volker Lendecke <vl@samba.org>
40			Reviewed-by: David Disseldorp <ddiss@samba.org>
41			(cherry picked from commit 706770d7a8c4625ecb555db40c146126d2c160f0)
42			---
43			source3/libads/kerberos_keytab.c \| 2 +-
44			1 file changed, 1 insertion(+), 1 deletion(-)
45
46			diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
47			index 2d5c7ff..bbd981c 100644
48			--- a/source3/libads/kerberos_keytab.c
49			+++ b/source3/libads/kerberos_keytab.c
50			@@ -507,7 +507,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
51			krb5_error_code ret = 0;
52			krb5_context context = NULL;
53			krb5_keytab keytab = NULL;
54			- krb5_kt_cursor cursor;
55			+ krb5_kt_cursor cursor = {0};
56			krb5_keytab_entry kt_entry = {0};
57			krb5_kvno kvno;
58			size_t found = 0;
59			--
60			2.4.6
61
62
63			From dec69489dfb6ed3f60a1ed9360ceb03800fe01d1 Mon Sep 17 00:00:00 2001
64			From: Uri Simchoni <urisimchoni@gmail.com>
65			Date: Sat, 2 May 2015 13:44:52 +0300
66			Subject: [PATCH 3/4] libads: Fix free of uninitialized pointer
67
68			BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418
69
70			In ads_keytab_creat_default(), if the keytab to be created cannot
71			be opened, the bail-out code calls smb_krb5_kt_free_entry() on
72			an uninitialized entry.
73
74			To reproduce:
75			1. Join a domain
76			2. KRB5_KTNAME=FILE:/non-existant-path/krb5.keytab net ads keytab create -P
77
78			Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
79			Reviewed-by: Jeremy Allison <jra@samba.org>
80			Reviewed-by: Andreas Schneider <asn@samba.org>
81			(cherry picked from commit df91bc5159b24f6f10fd9742b49192921d51f821)
82			---
83			source3/libads/kerberos_keytab.c \| 5 +++--
84			1 file changed, 3 insertions(+), 2 deletions(-)
85
86			diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
87			index bbd981c..ef6374a 100644
88			--- a/source3/libads/kerberos_keytab.c
89			+++ b/source3/libads/kerberos_keytab.c
90			@@ -520,6 +520,9 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
91			size_t i;
92			ADS_STATUS status;
93
94			+ ZERO_STRUCT(kt_entry);
95			+ ZERO_STRUCT(cursor);
96			+
97			frame = talloc_stackframe();
98			if (frame == NULL) {
99			ret = -1;
100			@@ -575,8 +578,6 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
101			#endif
102
103			memset(princ_s, '\0', sizeof(princ_s));
104			- ZERO_STRUCT(kt_entry);
105			- ZERO_STRUCT(cursor);
106
107			initialize_krb5_error_table();
108			ret = krb5_init_context(&context);
109			--
110			2.4.6
111
112
113			From be29f73d746d2d356856eeeec7e958597e429bc0 Mon Sep 17 00:00:00 2001
114			From: Uri Simchoni <urisimchoni@gmail.com>
115			Date: Sat, 2 May 2015 13:44:53 +0300
116			Subject: [PATCH 4/4] libads: Fix deadlock when re-joining a domain and
117			updating keytab
118
119			BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418
120
121			When updating the system keytab as a result of joining a domain,
122			if the keytb had prior entries, ads_keytab_create_default tries to
123			update those entries. However, it starts updating before freeing the
124			cursor which was used for finding those entries, and hence causes
125			an an attempt to write-lock the keytab while a read-lock exists.
126
127			To reproduce configure smb.conf for ads domain member and run this twice:
128			net ads join -U <credentials> '--option=kerberos method=secrets and keytab'
129
130			Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
131			Reviewed-by: Jeremy Allison <jra@samba.org>
132			Reviewed-by: Andreas Schneider <asn@samba.org>
133
134			Autobuild-User(master): Jeremy Allison <jra@samba.org>
135			Autobuild-Date(master): Mon May 4 21:01:41 CEST 2015 on sn-devel-104
136
137			(cherry picked from commit 38beef2ff63664d7d5805f1032bb9f69d0b965d7)
138			---
139			source3/libads/kerberos_keytab.c \| 5 +++--
140			1 file changed, 3 insertions(+), 2 deletions(-)
141
142			diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
143			index ef6374a..309e614 100644
144			--- a/source3/libads/kerberos_keytab.c
145			+++ b/source3/libads/kerberos_keytab.c
146			@@ -731,13 +731,14 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
147			smb_krb5_kt_free_entry(context, &kt_entry);
148			ZERO_STRUCT(kt_entry);
149			}
150			+ krb5_kt_end_seq_get(context, keytab, &cursor);
151			+ ZERO_STRUCT(cursor);
152			+
153			ret = 0;
154			for (i = 0; oldEntries[i]; i++) {
155			ret \|= ads_keytab_add_entry(ads, oldEntries[i]);
156			TALLOC_FREE(oldEntries[i]);
157			}
158			- krb5_kt_end_seq_get(context, keytab, &cursor);
159			- ZERO_STRUCT(cursor);
160
161			done:
162			TALLOC_FREE(oldEntries);
163			--
164			2.4.6
165