From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 18 May 2022 04:48:59 +0000 (+1200)
Subject: CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
X-Git-Tag: samba-4.17.0rc1~293
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0;p=thirdparty%2Fsamba.git

CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index dfe9a5c212e..a1059a54b81 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -437,7 +437,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 # Kpasswd tests
 #
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20
index f886c360381..c4f2ea2def7 100644
--- a/selftest/knownfail_mit_kdc_1_20
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -13,6 +13,7 @@
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc
+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc
diff --git a/source4/kdc/kpasswd-service.c b/source4/kdc/kpasswd-service.c
index 061aedc80e5..22e1295c11e 100644
--- a/source4/kdc/kpasswd-service.c
+++ b/source4/kdc/kpasswd-service.c
@@ -256,6 +256,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
 				      &kpasswd_dec_reply,
 				      &error_string);
 	if (code != 0) {
+		ap_rep_blob = data_blob_null;
 		error_code = code;
 		goto reply;
 	}
@@ -265,6 +266,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
 			     &kpasswd_dec_reply,
 			     &enc_data_blob);
 	if (!NT_STATUS_IS_OK(status)) {
+		ap_rep_blob = data_blob_null;
 		error_code = KRB5_KPASSWD_HARDERROR;
 		error_string = talloc_asprintf(tmp_ctx,
 					       "gensec_wrap failed - %s\n",