diff options
| author | Thierry Bordaz <tbordaz@redhat.com> | 2016-07-18 15:00:02 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-07-19 13:17:37 +0200 |
| commit | b04f617803c430b13f8796e911f78bd65f6cf55f (patch) | |
| tree | 78ae53b44c338f6a72650606b87ef909870028da /daemons | |
| parent | 72b2c8a54de09d6e5c1cc82c951d5bfd06938e88 (diff) | |
| download | freeipa-b04f617803c430b13f8796e911f78bd65f6cf55f.tar.gz freeipa-b04f617803c430b13f8796e911f78bd65f6cf55f.tar.xz freeipa-b04f617803c430b13f8796e911f78bd65f6cf55f.zip | |
Heap corruption in ipapwd plugin
ipapwd_encrypt_encode_key allocates 'kset' on the heap but
with num_keys and keys not being initialized.
Then ipa_krb5_generate_key_data initializes them with the
generated keys.
If ipa_krb5_generate_key_data fails (here EINVAL meaning no
principal->realm.data), num_keys and keys are left uninitialized.
Upon failure, ipapwd_keyset_free is called to free 'kset'
that contains random num_keys and keys.
allocates kset with calloc so that kset->num_keys==0 and
kset->keys==NULL
https://fedorahosted.org/freeipa/ticket/6030
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c index 9c62f0560..7b2f34122 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c @@ -157,7 +157,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, pwd.length = strlen(data->password); } - kset = malloc(sizeof(struct ipapwd_keyset)); + kset = (struct ipapwd_keyset *) calloc(1, sizeof(struct ipapwd_keyset)); if (!kset) { LOG_OOM(); goto enc_error; |