Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered

by ticket renewal. Add a test case. See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490 Thanks to Joel Johnson and Brian Almeida for the reports. ticket: 6702 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23912 dc483132-0cff-0310-8789-dd5450dbe970
author: Tom Yu <tlyu@mit.edu> 2010-04-20 21:12:10 +0000
committer: Tom Yu <tlyu@mit.edu> 2010-04-20 21:12:10 +0000
commit: 04392a812b84527dcf7d4cebfa91ab9c69d7cc40 (patch)
tree: 37ee2645f224b5061d5927d4d6d4b46ed025c012 /src/kdc/do_tgs_req.c
parent: bc2db93977370ba1935f2a3ca0cb2184b8c27a3a (diff)
download: krb5-04392a812b84527dcf7d4cebfa91ab9c69d7cc40.tar.gz
krb5-04392a812b84527dcf7d4cebfa91ab9c69d7cc40.tar.xz
krb5-04392a812b84527dcf7d4cebfa91ab9c69d7cc40.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b2f0655140..76ca94abc0 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -543,6 +543,7 @@ tgt_again:
            to the caller */
         ticket_reply = *(header_ticket);
         enc_tkt_reply = *(header_ticket->enc_part2);
+        enc_tkt_reply.authorization_data = NULL;
         clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
     }
 
@@ -554,6 +555,7 @@ tgt_again:
            to the caller */
         ticket_reply = *(header_ticket);
         enc_tkt_reply = *(header_ticket->enc_part2);
+        enc_tkt_reply.authorization_data = NULL;
 
         old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
author	Tom Yu <tlyu@mit.edu>	2010-04-20 21:12:10 +0000
committer	Tom Yu <tlyu@mit.edu>	2010-04-20 21:12:10 +0000
commit	04392a812b84527dcf7d4cebfa91ab9c69d7cc40 (patch)
tree	37ee2645f224b5061d5927d4d6d4b46ed025c012 /src/kdc/do_tgs_req.c
parent	bc2db93977370ba1935f2a3ca0cb2184b8c27a3a (diff)
download	krb5-04392a812b84527dcf7d4cebfa91ab9c69d7cc40.tar.gz krb5-04392a812b84527dcf7d4cebfa91ab9c69d7cc40.tar.xz krb5-04392a812b84527dcf7d4cebfa91ab9c69d7cc40.zip