[openldap/f16] fix: reading pin from file can make all TLS connections hang

[jvcelak]

commit b6dfd9e11c00ed1a74baca35f7aa14a2938bdb39
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Wed Jun 27 13:48:40 2012 +0200

    fix: reading pin from file can make all TLS connections hang
    
    Resolves: #829317

 openldap-nss-clean-memory-for-token-pin.patch |   31 +++++++++++++++++++++++++
 openldap.spec                                 |    3 ++
 2 files changed, 34 insertions(+), 0 deletions(-)
---
diff --git a/openldap-nss-clean-memory-for-token-pin.patch b/openldap-nss-clean-memory-for-token-pin.patch
new file mode 100644
index 0000000..5be680d
--- /dev/null
+++ b/openldap-nss-clean-memory-for-token-pin.patch
@@ -0,0 +1,31 @@
+MozNSS: read pin from file file can cause infinite loop
+
+The buffer allocated for reading password file has to be initialized
+with zeros, or we need to append zero at the end of the file. Otherwise
+we might read unitialized memory and consider it to be a password.
+
+Author: Jan Vcelak <jvcelak at redhat.com>
+Upstream ITS: #7291
+Upstream commit: 00d0e162720b8cf03b9e5428892158f0768db9a6
+Resolves: #829317
+
+---
+ libraries/libldap/tls_m.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index d71fec7..2e755eb 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -786,7 +786,7 @@ tlsm_get_pin_from_file(const char *token_name, tlsm_ctx *ctx)
+ 	}
+ 
+ 	/* create a buffer to hold the file contents */
+-	if ( !( contents = PR_MALLOC( file_info.size + 1 ) ) ) {
++	if ( !( contents = PR_CALLOC( file_info.size + 1 ) ) ) {
+ 		PRErrorCode errcode = PR_GetError();
+ 		Debug( LDAP_DEBUG_ANY,
+ 		       "TLS: could not alloc a buffer for contents of pin file %s - error %d:%s.\n",
+-- 
+1.7.10.4
+
diff --git a/openldap.spec b/openldap.spec
index 53b0a03..6bec6c0 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -46,6 +46,7 @@ Patch20: openldap-nss-deferred-init-copy-params.patch
 Patch21: openldap-nss-segfault-key-not-set.patch
 Patch22: openldap-ld_defconn-rebind.patch
 Patch23: openldap-nss-dont-overwrite-verify-cert-error.patch
+Patch24: openldap-nss-clean-memory-for-token-pin.patch
 
 # patches for the evolution library (see README.evolution)
 Patch200: openldap-evolution-ntlm.patch
@@ -162,6 +163,7 @@ pushd openldap-%{version}
 %patch21 -p1 -b .nss-segfault-key-not-set
 %patch22 -p1 -b .ld_defconn-rebind
 %patch23 -p1 -b .nss-dont-overwrite-verify-cert-error
+%patch24 -p1 -b .nss-clean-memory-for-token-pin
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 
@@ -689,6 +691,7 @@ exit 0
 %changelog
 * Wed Jun 27 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.26-8
 - fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
+- fix: reading pin from file can make all TLS connections hang (#829317)
 
 * Mon Mar 26 2012 Jan Synáček <jsynacek at redhat.com> 2.4.26-7
 - fix: Re-binding to a failed connection can segfault (#784989)