From af7dfb4e2b288742d0f3a0b7c9f4c280f8c9738d Mon Sep 17 00:00:00 2001

From: Volker Lendecke <vl@samba.org>

Date: Wed, 4 Mar 2015 10:09:18 +0100

Subject: [PATCH 1/4] libads: Fix CID 1273306 Uninitialized scalar variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

Signed-off-by: Volker Lendecke <vl@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>

(cherry picked from commit 4a686c5b0bbcf0bdb089348403a3c35b8aff67e4)

---

 source3/libads/kerberos_keytab.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c

index ae3d80e39..2d5c7ff 100644

--- a/source3/libads/kerberos_keytab.c

+++ b/source3/libads/kerberos_keytab.c

@@ -508,7 +508,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)

 	krb5_context context = NULL;

 	krb5_keytab keytab = NULL;

 	krb5_kt_cursor cursor;

-	krb5_keytab_entry kt_entry;

+	krb5_keytab_entry kt_entry = {0};

 	krb5_kvno kvno;

 	size_t found = 0;

 	char *sam_account_name, *upn;

-- 

2.4.6

From c2fc9c04e670fa4f2a4ad7bb037e40bed08a554f Mon Sep 17 00:00:00 2001

From: Volker Lendecke <vl@samba.org>

Date: Wed, 4 Mar 2015 10:09:51 +0100

Subject: [PATCH 2/4] libads: Fix CID 1273305 Uninitialized scalar variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

Signed-off-by: Volker Lendecke <vl@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>

(cherry picked from commit 706770d7a8c4625ecb555db40c146126d2c160f0)

---

 source3/libads/kerberos_keytab.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c

index 2d5c7ff..bbd981c 100644

--- a/source3/libads/kerberos_keytab.c

+++ b/source3/libads/kerberos_keytab.c

@@ -507,7 +507,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)

 	krb5_error_code ret = 0;

 	krb5_context context = NULL;

 	krb5_keytab keytab = NULL;

-	krb5_kt_cursor cursor;

+	krb5_kt_cursor cursor = {0};

 	krb5_keytab_entry kt_entry = {0};

 	krb5_kvno kvno;

 	size_t found = 0;

-- 

2.4.6

From dec69489dfb6ed3f60a1ed9360ceb03800fe01d1 Mon Sep 17 00:00:00 2001

From: Uri Simchoni <urisimchoni@gmail.com>

Date: Sat, 2 May 2015 13:44:52 +0300

Subject: [PATCH 3/4] libads: Fix free of uninitialized pointer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

In ads_keytab_creat_default(), if the keytab to be created cannot

be opened, the bail-out code calls smb_krb5_kt_free_entry() on

an uninitialized entry.

To reproduce:

1. Join a domain

2. KRB5_KTNAME=FILE:/non-existant-path/krb5.keytab net ads keytab create -P

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>

Reviewed-by: Jeremy Allison <jra@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

(cherry picked from commit df91bc5159b24f6f10fd9742b49192921d51f821)

---

 source3/libads/kerberos_keytab.c | 5 +++--

 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c

index bbd981c..ef6374a 100644

--- a/source3/libads/kerberos_keytab.c

+++ b/source3/libads/kerberos_keytab.c

@@ -520,6 +520,9 @@ int ads_keytab_create_default(ADS_STRUCT *ads)

 	size_t i;

 	ADS_STATUS status;

+	ZERO_STRUCT(kt_entry);

+	ZERO_STRUCT(cursor);

+

 	frame = talloc_stackframe();

 	if (frame == NULL) {

 		ret = -1;

@@ -575,8 +578,6 @@ int ads_keytab_create_default(ADS_STRUCT *ads)

 #endif

 	memset(princ_s, '\0', sizeof(princ_s));

-	ZERO_STRUCT(kt_entry);

-	ZERO_STRUCT(cursor);

 	initialize_krb5_error_table();

 	ret = krb5_init_context(&context);

-- 

2.4.6

From be29f73d746d2d356856eeeec7e958597e429bc0 Mon Sep 17 00:00:00 2001

From: Uri Simchoni <urisimchoni@gmail.com>

Date: Sat, 2 May 2015 13:44:53 +0300

Subject: [PATCH 4/4] libads: Fix deadlock when re-joining a domain and

 updating keytab

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418

When updating the system keytab as a result of joining a domain,

if the keytb had prior entries, ads_keytab_create_default tries to

update those entries. However, it starts updating before freeing the

cursor which was used for finding those entries, and hence causes

an an attempt to write-lock the keytab while a read-lock exists.

To reproduce configure smb.conf for ads domain member and run this twice:

net ads join -U <credentials> '--option=kerberos method=secrets and keytab'

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>

Reviewed-by: Jeremy Allison <jra@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>

Autobuild-Date(master): Mon May  4 21:01:41 CEST 2015 on sn-devel-104

(cherry picked from commit 38beef2ff63664d7d5805f1032bb9f69d0b965d7)

---

 source3/libads/kerberos_keytab.c | 5 +++--

 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c

index ef6374a..309e614 100644

--- a/source3/libads/kerberos_keytab.c

+++ b/source3/libads/kerberos_keytab.c

@@ -731,13 +731,14 @@ int ads_keytab_create_default(ADS_STRUCT *ads)

 		smb_krb5_kt_free_entry(context, &kt_entry);

 		ZERO_STRUCT(kt_entry);

 	}

+	krb5_kt_end_seq_get(context, keytab, &cursor);

+	ZERO_STRUCT(cursor);

+

 	ret = 0;

 	for (i = 0; oldEntries[i]; i++) {

 		ret |= ads_keytab_add_entry(ads, oldEntries[i]);

 		TALLOC_FREE(oldEntries[i]);

 	}

-	krb5_kt_end_seq_get(context, keytab, &cursor);

-	ZERO_STRUCT(cursor);

 done:

 	TALLOC_FREE(oldEntries);

-- 

2.4.6