[krb5/f20] Pull in fix for possible NULL deref on bdb error

Wed Aug 20 21:31:20 UTC 2014

commit 5f545864a3614959679e0b1cf7cef5906822deb0
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Wed Aug 20 17:15:09 2014 -0400

    Pull in fix for possible NULL deref on bdb error
    
    - pull in upstream fix for a possible null dereference in a db2 btree
      error case (#1132062)

 krb5-master-hprev.patch |   43 +++++++++++++++++++++++++++++++++++++++++++
 krb5.spec               |    4 ++++
 2 files changed, 47 insertions(+), 0 deletions(-)
---

diff --git a/krb5-master-hprev.patch b/krb5-master-hprev.patch
new file mode 100644
index 0000000..04d814e
--- /dev/null
+++ b/krb5-master-hprev.patch
@@ -0,0 +1,43 @@
+commit f5345bba2a993066f9b886dae491d211ed9be057
+Author: Greg Hudson <ghudson at mit.edu>
+Date:   Thu Dec 20 14:17:45 2012 -0500
+
+    Avoid null dereference in BDB dbtree error case
+    
+    An error case in __bt_first would deference a null pointer.  This is
+    an old upstream BDB bug.  Use a separate variable to hold the result
+    of mpool_get() until it has been checked.  Reported by Nickolai
+    Zeldovich <nickolai at csail.mit.edu>.
+    
+    ticket: 7511
+
+diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_seq.c b/src/plugins/kdb/db2/libdb2/btree/bt_seq.c
+index 5707cab..b39d89e 100644
+--- a/src/plugins/kdb/db2/libdb2/btree/bt_seq.c
++++ b/src/plugins/kdb/db2/libdb2/btree/bt_seq.c
+@@ -400,7 +400,7 @@ __bt_first(t, key, erval, exactp)
+ 	EPG *erval;
+ 	int *exactp;
+ {
+-	PAGE *h;
++	PAGE *h, *hprev;
+ 	EPG *ep, save;
+ 	db_pgno_t pg;
+ 
+@@ -444,14 +444,14 @@ __bt_first(t, key, erval, exactp)
+ 					break;
+ 				if (h->pgno != save.page->pgno)
+ 					mpool_put(t->bt_mp, h, 0);
+-				if ((h = mpool_get(t->bt_mp,
++				if ((hprev = mpool_get(t->bt_mp,
+ 				    h->prevpg, 0)) == NULL) {
+ 					if (h->pgno == save.page->pgno)
+ 						mpool_put(t->bt_mp,
+ 						    save.page, 0);
+ 					return (RET_ERROR);
+ 				}
+-				ep->page = h;
++				ep->page = h = hprev;
+ 				ep->index = NEXTINDEX(h);
+ 			}
+ 			--ep->index;
diff --git a/krb5.spec b/krb5.spec
index face756..cbab18b 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -134,6 +134,7 @@ Patch166: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt
 Patch167: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc
 
 Patch168: krb5-master-strdupcheck.patch
+Patch169: krb5-master-hprev.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -426,6 +427,7 @@ ln -s NOTICE LICENSE
 
 %patch166 -p1 -b .2014-001
 %patch168 -p1 -b .master-strdupcheck
+%patch169 -p1 -b .master-hprev
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -1102,6 +1104,8 @@ exit 0
 * Wed Aug 20 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-12
 - pull in upstream fix for an incorrect check on the value returned by a
   strdup() call (#1132062)
+- pull in upstream fix for a possible null dereference in a db2 btree error
+  case (#1132062)
 
 * Thu Aug  7 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-11
 - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345)
