From 735b73ebbba370d01d427affa96fb0807f61720e Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 18 Dec 2013 14:20:57 -0500
Subject: Pick up an interop fix from master (RT#7794)

- pull in fix from master to return a NULL pointer rather than allocating
  zero bytes of memory if we read a zero-length input token (RT#7794, part of
  #1043962)
---
 krb5-master-no-malloc0.patch | 39 +++++++++++++++++++++++++++++++++++++++
 krb5.spec                    |  9 ++++++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 krb5-master-no-malloc0.patch

diff --git a/krb5-master-no-malloc0.patch b/krb5-master-no-malloc0.patch
new file mode 100644
index 0000000..e5b0e63
--- /dev/null
+++ b/krb5-master-no-malloc0.patch
@@ -0,0 +1,39 @@
+commit 13fd26e1863c79f616653f6a10a58c01f65fceff
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Fri Dec 6 18:56:56 2013 -0500
+
+    Avoid malloc(0) in SPNEGO get_input_token
+    
+    If we read a zero-length token in spnego_mech.c's get_input_token(),
+    set the value pointer to NULL instead of calling malloc(0).
+    
+    ticket: 7794 (new)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 24c3440..3937662 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length)
+ 		return (NULL);
+ 
+ 	input_token->length = len;
+-	input_token->value = gssalloc_malloc(input_token->length);
++	if (input_token->length > 0) {
++		input_token->value = gssalloc_malloc(input_token->length);
++		if (input_token->value == NULL) {
++			free(input_token);
++			return (NULL);
++		}
+ 
+-	if (input_token->value == NULL) {
+-		free(input_token);
+-		return (NULL);
++		memcpy(input_token->value, *buff_in, input_token->length);
++	} else {
++		input_token->value = NULL;
+ 	}
+-
+-	(void) memcpy(input_token->value, *buff_in, input_token->length);
+ 	*buff_in += input_token->length;
+ 	return (input_token);
+ }
diff --git a/krb5.spec b/krb5.spec
index 1d9161d..bac784a 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12
-Release: 1%{?dist}
+Release: 2%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -90,6 +90,7 @@ Patch86: krb5-1.9-debuginfo.patch
 Patch105: krb5-kvno-230379.patch
 Patch129: krb5-1.11-run_user_0.patch
 Patch134: krb5-1.11-kpasswdtest.patch
+Patch135: krb5-master-no-malloc0.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -300,6 +301,7 @@ ln -s NOTICE LICENSE
 %patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
 %patch86 -p0 -b .debuginfo
 %patch105 -p1 -b .kvno
+%patch135 -p1 -b .no-malloc0
 
 # Apply when the hard-wired or configured default location is
 # DIR:/run/user/%%{uid}/krb5cc.
@@ -954,6 +956,11 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Wed Dec 18 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.12-2
+- pull in fix from master to return a NULL pointer rather than allocating
+  zero bytes of memory if we read a zero-length input token (RT#7794, part of
+  #1043962)
+
 * Wed Dec 11 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.12-1
 - update to 1.12 final
 
-- 
cgit