CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure

author Joseph Sutton <josephsutton@catalyst.net.nz>

Wed, 18 May 2022 04:48:59 +0000 (16:48 +1200)

committer Jule Anger <janger@samba.org>

Wed, 27 Jul 2022 10:52:36 +0000 (10:52 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Wed, 18 May 2022 04:48:59 +0000 (16:48 +1200)
committer Jule Anger <janger@samba.org>
Wed, 27 Jul 2022 10:52:36 +0000 (10:52 +0000)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc

index dfe9a5c212e599e0ea3ab1d8229daab81def53fd..a1059a54b8168ef68cd317e934ff6741212b8f10 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -437,7 +437,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
  # Kpasswd tests
  #
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20

index f886c36038162f35a658b5ededdf4e070aadde06..c4f2ea2def7909fddff6f9fd2e471db5f0545c96 100644 (file)
--- a/selftest/knownfail_mit_kdc_1_20
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -13,6 +13,7 @@
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc
+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc
diff --git a/source4/kdc/kpasswd-service.c b/source4/kdc/kpasswd-service.c

index 061aedc80e57d059d052b885b35a448a12ff3d81..22e1295c11ef871f7a497f3189c9ccb33f1507a3 100644 (file)
--- a/source4/kdc/kpasswd-service.c
+++ b/source4/kdc/kpasswd-service.c
@@ -256,6 +256,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
                                       &kpasswd_dec_reply,
                                       &error_string);
         if (code != 0) {
+               ap_rep_blob = data_blob_null;
                 error_code = code;
                 goto reply;
         }
@@ -265,6 +266,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
                              &kpasswd_dec_reply,
                              &enc_data_blob);
         if (!NT_STATUS_IS_OK(status)) {
+               ap_rep_blob = data_blob_null;
                 error_code = KRB5_KPASSWD_HARDERROR;
                 error_string = talloc_asprintf(tmp_ctx,
                                                "gensec_wrap failed - %s\n",
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Wed, 18 May 2022 04:48:59 +0000 (16:48 +1200)
committer	Jule Anger <janger@samba.org>
	Wed, 27 Jul 2022 10:52:36 +0000 (10:52 +0000)
selftest/knownfail_mit_kdc		patch \| blob \| history
selftest/knownfail_mit_kdc_1_20		patch \| blob \| history
source4/kdc/kpasswd-service.c		patch \| blob \| history