CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Removed MIT KDC 1.20-specific knownfails]

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 2ddd027c8ea708e801daee756650af6b5096dbd1..e37a048105f6632d1b77a85e14c93e1e3c801e06 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -548,7 +548,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 # Kpasswd tests
 #
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc

diff --git a/source4/kdc/kpasswd-service.c b/source4/kdc/kpasswd-service.c
index 061aedc80e57d059d052b885b35a448a12ff3d81..22e1295c11ef871f7a497f3189c9ccb33f1507a3 100644 (file)
--- a/source4/kdc/kpasswd-service.c
+++ b/source4/kdc/kpasswd-service.c
@@ -256,6 +256,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
                                      &kpasswd_dec_reply,
                                      &error_string);
        if (code != 0) {
+               ap_rep_blob = data_blob_null;
                error_code = code;
                goto reply;
        }
@@ -265,6 +266,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
                             &kpasswd_dec_reply,
                             &enc_data_blob);
        if (!NT_STATUS_IS_OK(status)) {
+               ap_rep_blob = data_blob_null;
                error_code = KRB5_KPASSWD_HARDERROR;
                error_string = talloc_asprintf(tmp_ctx,
                                               "gensec_wrap failed - %s\n",