CVE-2018-16853: fix crash in expired passowrd case

When calling encode_krb5_padata_sequence() make sure to pass a null terminated array as required. Fixes expired passowrd case in samba4.blackbox.kinit test. Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
author: Isaac Boukris <iboukris@gmail.com> 2018-11-07 22:53:35 +0200
committer: Karolin Seeger <kseeger@samba.org> 2018-12-07 11:39:37 +0100
commit: fcbea2c7c9680ad7e24235150d61f9a0aee36bb4 (patch)
tree: 0b3172e9402530e877fcddb4b5722efae4c77224 /source4
parent: 09b9a9bed3aae0fbd945921849cd66ce9e22e0ea (diff)
download: samba-fcbea2c7c9680ad7e24235150d61f9a0aee36bb4.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 1cd6750f5ab..8283c726487 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -855,7 +855,7 @@ krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data
 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
 {
 	krb5_error_code ret = 0;
-	krb5_pa_data pa, *ppa = NULL;
+	krb5_pa_data pa, *ppa[2];
 	krb5_data *d = NULL;
 
 	if (!e_data)
@@ -876,9 +876,10 @@ static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
 	SIVAL(pa.contents, 4, 0);
 	SIVAL(pa.contents, 8, 1);
 
-	ppa = &pa;
+	ppa[0] = &pa;
+	ppa[1] = NULL;
 
-	ret = encode_krb5_padata_sequence(&ppa, &d);
+	ret = encode_krb5_padata_sequence(ppa, &d);
 	free(pa.contents);
 	if (ret) {
 		return;
author	Isaac Boukris <iboukris@gmail.com>	2018-11-07 22:53:35 +0200
committer	Karolin Seeger <kseeger@samba.org>	2018-12-07 11:39:37 +0100
commit	fcbea2c7c9680ad7e24235150d61f9a0aee36bb4 (patch)
tree	0b3172e9402530e877fcddb4b5722efae4c77224 /source4
parent	09b9a9bed3aae0fbd945921849cd66ce9e22e0ea (diff)
download	samba-fcbea2c7c9680ad7e24235150d61f9a0aee36bb4.tar.gz