diff options
author | Tom Yu <tlyu@mit.edu> | 2010-04-20 21:12:10 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2010-04-20 21:12:10 +0000 |
commit | 04392a812b84527dcf7d4cebfa91ab9c69d7cc40 (patch) | |
tree | 37ee2645f224b5061d5927d4d6d4b46ed025c012 /src/kdc/do_tgs_req.c | |
parent | bc2db93977370ba1935f2a3ca0cb2184b8c27a3a (diff) | |
download | krb5-04392a812b84527dcf7d4cebfa91ab9c69d7cc40.tar.gz krb5-04392a812b84527dcf7d4cebfa91ab9c69d7cc40.tar.xz krb5-04392a812b84527dcf7d4cebfa91ab9c69d7cc40.zip |
Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
by ticket renewal. Add a test case.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490
Thanks to Joel Johnson and Brian Almeida for the reports.
ticket: 6702
target_version: 1.8.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23912 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc/do_tgs_req.c')
-rw-r--r-- | src/kdc/do_tgs_req.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index b2f0655140..76ca94abc0 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -543,6 +543,7 @@ tgt_again: to the caller */ ticket_reply = *(header_ticket); enc_tkt_reply = *(header_ticket->enc_part2); + enc_tkt_reply.authorization_data = NULL; clear(enc_tkt_reply.flags, TKT_FLG_INVALID); } @@ -554,6 +555,7 @@ tgt_again: to the caller */ ticket_reply = *(header_ticket); enc_tkt_reply = *(header_ticket->enc_part2); + enc_tkt_reply.authorization_data = NULL; old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime; |