From 61db30080726bfc4832b8516b335734a5246ac0b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 16 Sep 2019 11:12:25 -0400
Subject: [PATCH] Make sure to have storage space for tag

ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.

Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.

But we need to handle this for future proofing.

Fixes #8071

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 util/ipa_krb5.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index a27cd4a4e538c738c6ab2157a4daabf8fea7661c..c09c3daa505655f2e5292a79c03683faa75ad244 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno,
         retag = ber_peek_tag(be, &setlen);
         if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
             /* not supported yet, skip */
-            retag = ber_scanf(be, "t[x]}");
+            retag = ber_scanf(be, "t[x]}", &tag);
         } else {
             retag = ber_scanf(be, "}");
         }
-- 
2.23.0