diff options
author | Andrew Bartlett <abartlet@samba.org> | 2018-10-23 17:33:46 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-11-26 08:54:31 +0100 |
commit | da9eeee6fce920b78e375e7be3993f1c4dbd1c14 (patch) | |
tree | 5157d4f31c8a83bb5eb9881008ca696aa45422e5 /source4/kdc | |
parent | 86ddd7032489053acba6d240db5db7ef49c38429 (diff) | |
download | samba-da9eeee6fce920b78e375e7be3993f1c4dbd1c14.tar.gz |
CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal
In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
mem_ctx.
This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
MIT KDC effort.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'source4/kdc')
-rw-r--r-- | source4/kdc/db-glue.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 8ccc34cd665..519060a5641 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -2606,10 +2606,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context, * comparison */ if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) { talloc_free(mem_ctx); -#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */ - return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; -#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ +#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ return KRB5KDC_ERR_CLIENT_NAME_MISMATCH; +#else /* Heimdal (where this is an enum) */ + return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; #endif } |