s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()

If the keytab file isn't readable, we may call
krb5_kt_end_seq_get() with an invalid kt_cursor.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10490

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Michael Saxl <mike@mwsys.mine.bz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/librpc/crypto/gse_krb5.c b/source3/librpc/crypto/gse_krb5.c
index 703d1b4c92505a980ac7297e1ff60407d1d1ccc7..4dd39eaf08d8f492b6b332cfb5b2f30e4c1ab575 100644 (file)
--- a/source3/librpc/crypto/gse_krb5.c
+++ b/source3/librpc/crypto/gse_krb5.c
@@ -437,6 +437,14 @@ static krb5_error_code fill_mem_keytab_from_system_keytab(krb5_context krbctx,
        if (ret) {
                DEBUG(1, (__location__ ": krb5_kt_start_seq_get failed (%s)\n",
                          error_message(ret)));
+               /*
+                * krb5_kt_start_seq_get() may leaves bogus data
+                * in kt_cursor. And we want to use the all_zero()
+                * logic below.
+                *
+                * See bug #10490
+                */
+               ZERO_STRUCT(kt_cursor);
                goto out;
        }