8 files changed, 118 insertions, 12 deletions
diff --git a/third_party/heimdal/kadmin/Makefile.am b/third_party/heimdal/kadmin/Makefile.am
index e7fe58f8d73..d9b8fee1c65 100644
--- a/third_party/heimdal/kadmin/Makefile.am
+++ b/third_party/heimdal/kadmin/Makefile.am
@@ -69,6 +69,7 @@ LDADD_common = \
 	$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
 
 kadmind_LDADD = $(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
 	../lib/gssapi/libgssapi.la \
 	$(LDADD_common) \
 	$(LIB_pidfile) \
diff --git a/third_party/heimdal/kadmin/ank.c b/third_party/heimdal/kadmin/ank.c
index 4b89ca6eedd..fba3450aa89 100644
--- a/third_party/heimdal/kadmin/ank.c
+++ b/third_party/heimdal/kadmin/ank.c
@@ -182,8 +182,13 @@ add_one_principal(const char *name,
 	    krb5_free_keyblock_contents(context, &new_keys[i]);
 	if (n_keys > 0)
 	    free(new_keys);
-	kadm5_get_principal(kadm_handle, princ_ent, &princ,
-			    KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
+        ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
+                                  KADM5_PRINCIPAL | KADM5_KVNO |
+                                      KADM5_ATTRIBUTES);
+        if (ret) {
+            krb5_warn(context, ret, "kadm5_get_principal");
+            goto out;
+        }
         krb5_free_principal(context, princ_ent);
         princ_ent = princ.principal;
 	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
diff --git a/third_party/heimdal/kadmin/cpw.c b/third_party/heimdal/kadmin/cpw.c
index 7ffc828cf30..13973177710 100644
--- a/third_party/heimdal/kadmin/cpw.c
+++ b/third_party/heimdal/kadmin/cpw.c
@@ -156,8 +156,10 @@ cpw_entry(struct passwd_options *opt, int argc, char **argv)
     int i;
     struct cpw_entry_data data;
     int num;
+    int16_t n_key_data = 0;
     krb5_key_data key_data[3];
 
+    memset(key_data, 0, sizeof(key_data));
     data.kadm_handle = NULL;
     ret = kadm5_dup_context(kadm_handle, &data.kadm_handle);
     if (ret)
@@ -214,6 +216,7 @@ cpw_entry(struct passwd_options *opt, int argc, char **argv)
 		     opt->key_string, error);
 	    return 1;
 	}
+        n_key_data = sizeof(key_data)/sizeof(key_data[0]);
 	data.key_data = key_data;
     }
 
@@ -222,10 +225,8 @@ cpw_entry(struct passwd_options *opt, int argc, char **argv)
 
     kadm5_destroy(data.kadm_handle);
 
-    if (data.key_data) {
-	int16_t dummy;
-	kadm5_free_key_data (kadm_handle, &dummy, key_data);
-    }
+    if (opt->key_string)
+        kadm5_free_key_data(kadm_handle, &n_key_data, key_data);
 
     return ret != 0;
 }
diff --git a/third_party/heimdal/kadmin/get.c b/third_party/heimdal/kadmin/get.c
index 6e8ada01ea4..1942d63894e 100644
--- a/third_party/heimdal/kadmin/get.c
+++ b/third_party/heimdal/kadmin/get.c
@@ -233,6 +233,8 @@ format_field(struct get_entry_data *data,
              size_t buf_len,
              int condensed)
 {
+    krb5_error_code ret;
+
     switch(field) {
     case KADM5_PRINCIPAL:
 	if(condensed)
@@ -302,7 +304,10 @@ format_field(struct get_entry_data *data,
 	krb5_salt def_salt;
 	int i;
 	char buf2[1024];
-	krb5_get_pw_salt (context, princ->principal, &def_salt);
+
+	ret = krb5_get_pw_salt(context, princ->principal, &def_salt);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_get_pw_salt");
 
 	*buf = '\0';
 	for (i = 0; i < princ->n_key_data; ++i) {
@@ -335,7 +340,6 @@ format_field(struct get_entry_data *data,
             HDB_EncTypeList etypes;
 	    size_t i, size;
             char *str;
-	    int ret;
 
             ret = decode_HDB_EncTypeList(tl->tl_data_contents,
                                          tl->tl_data_length,
@@ -360,7 +364,6 @@ format_field(struct get_entry_data *data,
 	case KRB5_TL_PKINIT_ACL: {
 	    HDB_Ext_PKINIT_acl acl;
 	    size_t size;
-	    int ret;
 	    size_t i;
 
 	    ret = decode_HDB_Ext_PKINIT_acl(tl->tl_data_contents,
@@ -403,7 +406,6 @@ format_field(struct get_entry_data *data,
 	case KRB5_TL_ALIASES: {
 	    HDB_Ext_Aliases alias;
 	    size_t size;
-	    int ret;
 	    size_t i;
 
 	    ret = decode_HDB_Ext_Aliases(tl->tl_data_contents,
diff --git a/third_party/heimdal/kadmin/kadmin.c b/third_party/heimdal/kadmin/kadmin.c
index d2f5abadd15..607ba03e236 100644
--- a/third_party/heimdal/kadmin/kadmin.c
+++ b/third_party/heimdal/kadmin/kadmin.c
@@ -296,10 +296,13 @@ main(int argc, char **argv)
     } else {
 	while(!exit_seen) {
 	    ret = sl_command_loop(commands, "kadmin> ", NULL);
-	    if (ret == -2)
+	    if (ret == -2) {
 		exit_seen = 1;
-	    else if (ret != 0)
+            } else if (ret != 0) {
 		exit_status = 1;
+                if (!isatty(STDIN_FILENO))
+                    exit_seen = 1;
+            }
 	}
     }
 
diff --git a/third_party/heimdal/kadmin/kadmind.c b/third_party/heimdal/kadmin/kadmind.c
index cf335d6dc01..4ea513e08d3 100644
--- a/third_party/heimdal/kadmin/kadmind.c
+++ b/third_party/heimdal/kadmin/kadmind.c
@@ -32,6 +32,8 @@
  */
 
 #include "kadmin_locl.h"
+#include "heim_threads.h"
+#include "krb5-protos.h"
 
 static char *check_library  = NULL;
 static char *check_function = NULL;
@@ -39,6 +41,13 @@ static getarg_strings policy_libraries = { 0, NULL };
 static char *config_file;
 static char sHDB[] = "HDBGET:";
 static char *keytab_str = sHDB;
+#ifndef WIN32
+static char *fuzz_file;
+static char *fuzz_client_name;
+static char *fuzz_keytab_name;
+static char *fuzz_service_name;
+static char *fuzz_admin_server;
+#endif
 static int help_flag;
 static int version_flag;
 static int debug_flag;
@@ -88,6 +97,16 @@ static struct getargs args[] = {
 	"ports to listen to", "port" },
     {	"read-only",	0,	arg_flag,   &readonly_flag,
 	"read-only operations", NULL },
+#ifndef WIN32
+    {	"fuzz-file",	0,	arg_string, &fuzz_file,
+	"Kadmin RPC body for fuzzing", "FILE" },
+    {	"fuzz-client",	0,	arg_string, &fuzz_client_name,
+	"Client name for fuzzing", "PRINCIPAL" },
+    {	"fuzz-keytab",	0,	arg_string, &fuzz_keytab_name,
+	"Keytab for fuzzing", "KEYTAB" },
+    {	"fuzz-server",	0,	arg_string, &fuzz_admin_server,
+	"Name of kadmind self instance", "HOST:PORT" },
+#endif
     {	"help",		'h',	arg_flag,   &help_flag, NULL, NULL },
     {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
@@ -103,6 +122,8 @@ usage(int ret)
     exit (ret);
 }
 
+static void *fuzz_thread(void *);
+
 int
 main(int argc, char **argv)
 {
@@ -220,7 +241,78 @@ main(int argc, char **argv)
     if(realm)
 	krb5_set_default_realm(context, realm); /* XXX */
 
+#ifndef WIN32
+    if (fuzz_file) {
+	HEIMDAL_THREAD_ID tid;
+
+	if (fuzz_admin_server == NULL)
+	    errx(1, "If --fuzz-file is given then --fuzz-server must be too");
+	HEIMDAL_THREAD_create(&tid, fuzz_thread, NULL);
+    }
+#endif
+
     kadmind_loop(context, keytab, sfd, readonly_flag);
 
     return 0;
 }
+
+#ifndef WIN32
+static void *
+fuzz_thread(void *arg)
+{
+    kadm5_config_params conf;
+    krb5_error_code ret;
+    krb5_context context2;
+    krb5_storage *sp;
+    krb5_data reply;
+    void *server_handle = NULL;
+    int fd;
+
+    memset(&conf, 0, sizeof(conf));
+    conf.admin_server = fuzz_admin_server;
+
+    fd = open(fuzz_file, O_RDONLY);
+    if (fd < 0)
+	err(1, "Could not open fuzz file %s", fuzz_file);
+    sp = krb5_storage_from_fd(fd);
+    if (sp == NULL)
+	err(1, "Could not read fuzz file %s", fuzz_file);
+    (void) close(fd);
+
+    ret = krb5_init_context(&context2);
+    if (ret)
+	errx(1, "Fuzzing failed: krb5_init_context failed: %d", ret);
+    ret = kadm5_c_init_with_skey_ctx(context2,
+                                     fuzz_client_name,
+                                     fuzz_keytab_name,
+				     fuzz_service_name ?
+					fuzz_service_name :
+					 KADM5_ADMIN_SERVICE,
+                                     &conf,
+                                     0, /* struct_version */
+                                     0, /* api_version */
+                                     &server_handle);
+    if (ret)
+	errx(1, "Fuzzing failed: kadm5_c_init_with_skey_ctx failed: %d", ret);
+
+    ret = _kadm5_connect(server_handle, 1 /* want_write */);
+    if (ret)
+	errx(1, "Fuzzing failed: Could not connect to self (%s): "
+             "_kadm5_connect failed: %d", fuzz_admin_server, ret);
+    ret = _kadm5_client_send(server_handle, sp);
+    if (ret)
+	errx(1, "Fuzzing failed: Could not send request to self (%s): "
+             "_kadm5_client_send failed: %d", fuzz_admin_server, ret);
+    krb5_data_zero(&reply);
+    ret = _kadm5_client_recv(server_handle, &reply);
+    if (ret)
+	errx(1, "Fuzzing failed: Could not read reply from self (%s): "
+             "_kadm5_client_recv failed: %d", fuzz_admin_server, ret);
+    krb5_storage_free(sp);
+    krb5_data_free(&reply);
+    fprintf(stderr, "Fuzzed with %s", fuzz_file);
+    exit(0);
+
+    return NULL;
+}
+#endif
diff --git a/third_party/heimdal/kadmin/mod.c b/third_party/heimdal/kadmin/mod.c
index 3bcd9ac31d5..2d4bd5d5077 100644
--- a/third_party/heimdal/kadmin/mod.c
+++ b/third_party/heimdal/kadmin/mod.c
@@ -262,6 +262,7 @@ add_kvno_diff(krb5_context contextp, kadm5_principal_ent_rec *princ,
     if (kvno_diff > 2048)
 	kvno_diff = 2048;
 
+    ext.mandatory = 0;
     if (is_svc_diff) {
 	ext.data.element = choice_HDB_extension_data_hist_kvno_diff_svc;
 	ext.data.u.hist_kvno_diff_svc = (unsigned int)kvno_diff;
diff --git a/third_party/heimdal/kadmin/rpc.c b/third_party/heimdal/kadmin/rpc.c
index 5cae3d2c239..8a176da6399 100644
--- a/third_party/heimdal/kadmin/rpc.c
+++ b/third_party/heimdal/kadmin/rpc.c
@@ -529,6 +529,7 @@ ret_principal_ent(krb5_context contextp,
 	CHECK(krb5_ret_uint32(sp, &flag));
 	ent->key_data[i].key_data_type[1] = flag;
     }
+    CHECK(i == num);
 
     return 0;
 }