Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered

by ticket renewal.  Add a test case.

See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490

Thanks to Joel Johnson and Brian Almeida for the reports.

ticket: 6702
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23912 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 39 insertions, 0 deletions

diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index 382c17409e..1638a5a0d4 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -2107,6 +2107,41 @@ proc kinit { name pass standalone } {
 
     return 1
 }
+
+proc kinit_renew { name pass standalone } {
+    global REALMNAME
+    global KINIT
+    global spawn_id
+
+    spawn $KINIT -5 -f $name@$REALMNAME
+    expect {
+	"Password for $name@$REALMNAME:" {
+	    verbose "kinit started"
+	}
+	timeout {
+	    fail "kinit"
+	    return 0
+	}
+	eof {
+	    fail "kinit"
+	    return 0
+	}
+    }
+    send "$pass\r"
+    expect eof
+    if ![check_exit_status kinit] {
+	return 0
+    }
+
+    spawn $KINIT -R
+    expect eof
+    if ![check_exit_status "kinit_renew"] {
+	return 0
+    }
+
+    return 1
+}
+
 # Retrieve a ticket using FAST armor
 proc kinit_fast { name pass standalone } {
     global REALMNAME
diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/dejagnu/krb-standalone/standalone.exp
index c511798b44..dbaf95dbd7 100644
--- a/src/tests/dejagnu/krb-standalone/standalone.exp
+++ b/src/tests/dejagnu/krb-standalone/standalone.exp
@@ -201,6 +201,10 @@ proc doit { } {
 	return
     }
 
+    if ![kinit_renew krbtest/admin adminpass$KEY 1] {
+	return
+    }
+
     # Make sure that klist can see the ticket.
     if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] {
 	return