diff options
| author | Simo Sorce <simo@redhat.com> | 2019-09-16 11:12:25 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2019-09-16 11:18:30 -0400 |
| commit | 94f4819cc6ea1ebe167c1c68ed25e82a7dbb33fe (patch) | |
| tree | e31bffce1856c26729caad2c0e24c5d95df312f0 | |
| parent | f1e20b45c5deeb25989c87a2d717bda5a31bb084 (diff) | |
| download | freeipa-fix_ber_scanf.tar.gz freeipa-fix_ber_scanf.tar.xz freeipa-fix_ber_scanf.zip | |
Make sure to have storage space for tagfix_ber_scanf
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.
Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.
But we need to handle this for future proofing.
Fixes #8071
Signed-off-by: Simo Sorce <simo@redhat.com>
| -rw-r--r-- | util/ipa_krb5.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c index a27cd4a4e..c09c3daa5 100644 --- a/util/ipa_krb5.c +++ b/util/ipa_krb5.c @@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno, retag = ber_peek_tag(be, &setlen); if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) { /* not supported yet, skip */ - retag = ber_scanf(be, "t[x]}"); + retag = ber_scanf(be, "t[x]}", &tag); } else { retag = ber_scanf(be, "}"); } |