From 7c7702f91df1fab6e4137d191c3d08a32cdf4bc5 Mon Sep 17 00:00:00 2001
From: Dmitry Timoshkov <dmitry@baikal.ru>
Date: Tue, 5 Mar 2024 10:53:43 +0300
Subject: [PATCH] kerberos: Allocate memory for the output token if requested.

Signed-off-by: Dmitry Timoshkov <dmitry@baikal.ru>
---
 dlls/kerberos/krb5_ap.c | 36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c
index ae68c4b90c2..5a5878faf02 100644
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -477,7 +477,7 @@ static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential,
 {
     static const ULONG supported = ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY | ISC_REQ_SEQUENCE_DETECT |
                                    ISC_REQ_REPLAY_DETECT | ISC_REQ_MUTUAL_AUTH | ISC_REQ_USE_DCE_STYLE |
-                                   ISC_REQ_IDENTIFY | ISC_REQ_CONNECTION | ISC_REQ_DELEGATE;
+                                   ISC_REQ_IDENTIFY | ISC_REQ_CONNECTION | ISC_REQ_DELEGATE | ISC_REQ_ALLOCATE_MEMORY;
     char *target = NULL;
     NTSTATUS status;
     ULONG exptime;
@@ -512,17 +512,41 @@ static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential,
             params.input_token_length = input->pBuffers[idx].cbBuffer;
         }
 
-        if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+        if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1)
+        {
+            free( target );
+            return SEC_E_INVALID_TOKEN;
+        }
+        if (context_req & ISC_REQ_ALLOCATE_MEMORY)
+        {
+            output->pBuffers[idx].pvBuffer = RtlAllocateHeap( GetProcessHeap(), 0, KERBEROS_MAX_BUF );
+            if (!output->pBuffers[idx].pvBuffer)
+            {
+                free( target );
+                return STATUS_NO_MEMORY;
+            }
+            output->pBuffers[idx].cbBuffer = KERBEROS_MAX_BUF;
+        }
         params.output_token = output->pBuffers[idx].pvBuffer;
         params.output_token_length = &output->pBuffers[idx].cbBuffer;
 
         status = KRB5_CALL( initialize_context, &params );
         if (status == SEC_E_OK || status == SEC_I_CONTINUE_NEEDED)
-            *new_context = create_context_handle( context_handle, new_context_handle );
-        if (!status)
         {
-            *mapped_context = TRUE;
-            expiry_to_timestamp( exptime, expiry );
+            *new_context = create_context_handle( context_handle, new_context_handle );
+            if (context_attr && (context_req & ISC_REQ_ALLOCATE_MEMORY))
+                *context_attr |= ISC_RET_ALLOCATED_MEMORY;
+
+            if (status == SEC_E_OK)
+            {
+                *mapped_context = TRUE;
+                expiry_to_timestamp( exptime, expiry );
+            }
+        }
+        else
+        {
+            if (context_req & ISC_REQ_ALLOCATE_MEMORY)
+                RtlFreeHeap( GetProcessHeap(), 0, output->pBuffers[idx].pvBuffer );
         }
     }
     /* FIXME: initialize context_data */