From: Andreas Schneider <asn@samba.org>
Date: Wed, 14 Jul 2021 12:51:34 +0000 (+0200)
Subject: CVE-2020-25719 mit-samba: Add ks_free_principal()
X-Git-Tag: ldb-2.5.0~165
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4ef445a1f37e77df8016d240fcf22927165b8c03;p=thirdparty%2Fsamba.git

CVE-2020-25719 mit-samba: Add ks_free_principal()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

[abartlet@samba.org As submitted in patch to Samba bugzilla
 to address this issue as https://attachments.samba.org/attachment.cgi?id=16724
 on overall bug https://bugzilla.samba.org/show_bug.cgi?id=14725]

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
index d666216b0c1..e9613e2fc7e 100644
--- a/source4/kdc/mit-kdb/kdb_samba.h
+++ b/source4/kdc/mit-kdb/kdb_samba.h
@@ -46,6 +46,8 @@ krb5_error_code ks_get_principal(krb5_context context,
 				 unsigned int kflags,
 				 krb5_db_entry **kentry);
 
+void ks_free_principal(krb5_context context, krb5_db_entry *entry);
+
 bool ks_data_eq_string(krb5_data d, const char *s);
 
 krb5_data ks_make_data(void *data, unsigned int len);
diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
index b543600a360..3917b9824c6 100644
--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
@@ -62,6 +62,58 @@ cleanup:
 	return code;
 }
 
+static void ks_free_principal_e_data(krb5_context context, krb5_octet *e_data)
+{
+	struct samba_kdc_entry *skdc_entry;
+
+	skdc_entry = talloc_get_type_abort(e_data,
+					   struct samba_kdc_entry);
+	talloc_set_destructor(skdc_entry, NULL);
+	TALLOC_FREE(skdc_entry);
+}
+
+void ks_free_principal(krb5_context context, krb5_db_entry *entry)
+{
+	krb5_tl_data *tl_data_next = NULL;
+	krb5_tl_data *tl_data = NULL;
+	size_t i, j;
+
+	if (entry != NULL) {
+		krb5_free_principal(context, entry->princ);
+
+		for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) {
+			tl_data_next = tl_data->tl_data_next;
+			if (tl_data->tl_data_contents != NULL) {
+				free(tl_data->tl_data_contents);
+			}
+			free(tl_data);
+		}
+
+		if (entry->key_data != NULL) {
+			for (i = 0; i < entry->n_key_data; i++) {
+				for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
+					if (entry->key_data[i].key_data_length[j] != 0) {
+						if (entry->key_data[i].key_data_contents[j] != NULL) {
+							memset(entry->key_data[i].key_data_contents[j], 0, entry->key_data[i].key_data_length[j]);
+							free(entry->key_data[i].key_data_contents[j]);
+						}
+					}
+					entry->key_data[i].key_data_contents[j] = NULL;
+					 entry->key_data[i].key_data_length[j] = 0;
+					 entry->key_data[i].key_data_type[j] = 0;
+				}
+			}
+			free(entry->key_data);
+		}
+
+		if (entry->e_data) {
+			ks_free_principal_e_data(context, entry->e_data);
+		}
+
+		free(entry);
+	}
+}
+
 static krb5_boolean ks_is_master_key_principal(krb5_context context,
 					       krb5_const_principal princ)
 {