rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   1700736214c5f771da15dceec966ef6d08bfebcf
  2.   SOURCES
  3.   0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch
Blob History Raw
7b546d 
From 81cbee4e3ff2e667946e0d41097b402257608b7e Mon Sep 17 00:00:00 2001
7b546d 
From: Alexander Bokovoy <abokovoy@redhat.com>
7b546d 
Date: Fri, 6 Nov 2020 14:07:10 +0200
7b546d 
Subject: [PATCH] ipa-kdb: fix crash in MS-PAC cache init code
7b546d
7b546d 
When initializing UPN suffixes, we calculate their sizes and didn't use
7b546d 
the right variable to allocate their size. This affects us if there are
7b546d 
more than one UPN suffix available for a trust due to memory corruption
7b546d 
while filling in sizes.
7b546d
7b546d 
Add unit test for multiple UPN suffixes.
7b546d
7b546d 
Fixes: https://pagure.io/freeipa/issue/8566
7b546d
7b546d 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
7b546d 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
7b546d 
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
7b546d 
---
7b546d 
 daemons/ipa-kdb/ipa_kdb_mspac.c       |  2 +-
7b546d 
 daemons/ipa-kdb/tests/ipa_kdb_tests.c | 50 +++++++++++++++++++++++++++
7b546d 
 2 files changed, 51 insertions(+), 1 deletion(-)
7b546d
7b546d 
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
7b546d 
index dd29db190..fe5b586b6 100644
7b546d 
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
7b546d 
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
7b546d 
@@ -2610,7 +2610,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
7b546d 
             for (; t[n].upn_suffixes[len] != NULL; len++);
7b546d
7b546d 
             if (len != 0) {
7b546d 
-                t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
7b546d 
+                t[n].upn_suffixes_len = calloc(len, sizeof(size_t));
7b546d 
                 if (t[n].upn_suffixes_len == NULL) {
7b546d 
                     ret = ENOMEM;
7b546d 
                     goto done;
7b546d 
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
7b546d 
index d3ef5c00d..752b24ea4 100644
7b546d 
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
7b546d 
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
7b546d 
@@ -71,6 +71,10 @@
7b546d 
 #define DOM_SID "S-1-5-21-1-2-3"
7b546d 
 #define DOM_SID_TRUST "S-1-5-21-4-5-6"
7b546d 
 #define BLACKLIST_SID "S-1-5-1"
7b546d 
+#define NUM_SUFFIXES 10
7b546d 
+#define SUFFIX_TEMPLATE "d%0d" DOMAIN_NAME
7b546d 
+#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE
7b546d 
+#define EXTERNAL_REALM "WRONG.DOMAIN"
7b546d
7b546d 
 static int setup(void **state)
7b546d 
 {
7b546d 
@@ -92,6 +96,9 @@
7b546d 
     ipa_ctx = calloc(1, sizeof(struct ipadb_context));
7b546d 
     assert_non_null(ipa_ctx);
7b546d
7b546d 
+    kerr = krb5_get_default_realm(krb5_ctx, &ipa_ctx->realm);
7b546d 
+    assert_int_equal(kerr, 0);
7b546d 
+
7b546d 
     ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
7b546d 
     assert_non_null(ipa_ctx->mspac);
7b546d
7b546d 
@@ -126,6 +133,15 @@
7b546d 
                         &ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
7b546d 
     assert_int_equal(ret, 0);
7b546d
7b546d 
+    ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *));
7b546d 
+    ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t));
7b546d 
+    for (size_t i = 0; i < NUM_SUFFIXES; i++) {
7b546d 
+	asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]), SUFFIX_TEMPLATE, i);
7b546d 
+        ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] =
7b546d 
+            strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]);
7b546d 
+
7b546d 
+    }
7b546d 
+
7b546d 
     ipa_ctx->kcontext = krb5_ctx;
7b546d 
     kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
7b546d 
     assert_int_equal(kerr, 0);
7b546d 
@@ -478,6 +494,38 @@
7b546d 
 }
7b546d
7b546d
7b546d 
+void test_check_trusted_realms(void **state)
7b546d 
+{
7b546d 
+    struct test_ctx *test_ctx;
7b546d 
+    krb5_error_code kerr = 0;
7b546d 
+    char *trusted_realm = NULL;
7b546d 
+
7b546d 
+    test_ctx = (struct test_ctx *) *state;
7b546d 
+
7b546d 
+    for(size_t i = 0; i < NUM_SUFFIXES; i++) {
7b546d 
+        char *test_realm = NULL;
7b546d 
+        asprintf(&test_realm, TEST_REALM_TEMPLATE, i);
7b546d 
+
7b546d 
+        if (test_realm) {
7b546d 
+            kerr = ipadb_is_princ_from_trusted_realm(
7b546d 
+                       test_ctx->krb5_ctx,
7b546d 
+                       test_realm,
7b546d 
+                       strlen(test_realm),
7b546d 
+                       &trusted_realm);
7b546d 
+            assert_int_equal(kerr, 0);
7b546d 
+            free(test_realm);
7b546d 
+            free(trusted_realm);
7b546d 
+        }
7b546d 
+    }
7b546d 
+
7b546d 
+    kerr = ipadb_is_princ_from_trusted_realm(
7b546d 
+               test_ctx->krb5_ctx,
7b546d 
+               EXTERNAL_REALM,
7b546d 
+               strlen(EXTERNAL_REALM),
7b546d 
+               &trusted_realm);
7b546d 
+    assert_int_equal(kerr, KRB5_KDB_NOENTRY);
7b546d 
+}
7b546d 
+
7b546d 
 int main(int argc, const char *argv[])
7b546d 
 {
7b546d 
     const struct CMUnitTest tests[] = {
7b546d 
@@ -488,6 +536,8 @@
7b546d 
         cmocka_unit_test(test_string_to_sid),
7b546d 
         cmocka_unit_test_setup_teardown(test_dom_sid_string,
7b546d 
                                         setup, teardown),
7b546d 
+        cmocka_unit_test_setup_teardown(test_check_trusted_realms,
7b546d 
+                                        setup, teardown),
7b546d 
     };
7b546d
7b546d 
     return cmocka_run_group_tests(tests, NULL, NULL);
7b546d 
--
7b546d 
2.29.2
7b546d

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation