samba/backport-0028-CVE-2022-2031-CVE-2022-32744.patch

From 29ec8b2369b5f5e2a660a3165d2528982514a0f2 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 27 May 2022 19:21:06 +1200
Subject: [PATCH 72/99] CVE-2022-2031 s4:kpasswd: Correctly generate error
 strings

The error_data we create already has an explicit length, and should not
be zero-terminated, so we omit the trailing null byte. Previously,
Heimdal builds would leave a superfluous trailing null byte on error
strings, while MIT builds would omit the final character.

The two bytes added to the string's length are for the prepended error
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

[jsutton@samba.org Removed MIT KDC 1.20-specific knownfails]
Conflict: remove selftest/knownfail_heimdal_kdc selftest/knownfail_mit_kdc
---
 source4/kdc/kpasswd-helper.c   | 13 ++++++-------
 3 files changed, 6 insertions(+), 34 deletions(-)

diff --git a/source4/kdc/kpasswd-helper.c b/source4/kdc/kpasswd-helper.c
index 995f54825b5..55a2f5b3bf6 100644
--- a/source4/kdc/kpasswd-helper.c
+++ b/source4/kdc/kpasswd-helper.c
@@ -48,17 +48,16 @@ bool kpasswd_make_error_reply(TALLOC_CTX *mem_ctx,
 	}
 
 	/*
-	 * The string 's' has two terminating nul-bytes which are also
-	 * reflected by 'slen'. Normally Kerberos doesn't expect that strings
-	 * are nul-terminated, but Heimdal does!
+	 * The string 's' has one terminating nul-byte which is also
+	 * reflected by 'slen'. We subtract it from the length.
 	 */
-#ifndef SAMBA4_USES_HEIMDAL
-	if (slen < 2) {
+	if (slen < 1) {
 		talloc_free(s);
 		return false;
 	}
-	slen -= 2;
-#endif
+	slen--;
+
+	/* Two bytes are added to the length to account for the error code. */
 	if (2 + slen < slen) {
 		talloc_free(s);
 		return false;
-- 
2.25.1