diff options
| author | Tom Yu <tlyu@mit.edu> | 2004-08-31 18:52:26 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2004-08-31 18:52:26 +0000 |
| commit | a37f039625cc1ddf5c66fa43e3534ded461337d3 (patch) | |
| tree | 2d8298ce7166730488ebf623d2b26483f7647b68 /src/lib | |
| parent | fc0bb2cb9d3a64a34865adbc0f985bc1cfa323fe (diff) | |
fix MITKRB5-SA-2004-002
Fix double-free vulnerabilities [MITKRB5-SA-2004-002].
ticket: new
target_version: 1.3.5
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16701 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/krb5/asn.1/ChangeLog | 5 | ||||
| -rw-r--r-- | src/lib/krb5/asn.1/asn1buf.c | 1 | ||||
| -rw-r--r-- | src/lib/krb5/asn.1/krb5_decode.c | 15 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_rep.c | 2 | ||||
| -rw-r--r-- | src/lib/krb5/krb/send_tgs.c | 4 |
5 files changed, 25 insertions, 2 deletions
diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog index ce20ff65c..fd0bf2daf 100644 --- a/src/lib/krb5/asn.1/ChangeLog +++ b/src/lib/krb5/asn.1/ChangeLog @@ -1,3 +1,8 @@ +2004-08-31 Tom Yu <tlyu@mit.edu> + + * asn1buf.c: + * krb5_decode.c: Fix double-free vulnerabilities. + 2004-06-10 Ken Raeburn <raeburn@mit.edu> * asn1_encode.c (asn1_encode_generaltime): Fix memcpy argument to diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c index 47e190280..566d41e7b 100644 --- a/src/lib/krb5/asn.1/asn1buf.c +++ b/src/lib/krb5/asn.1/asn1buf.c @@ -255,6 +255,7 @@ asn1_error_code asn12krb5_buf(const asn1buf *buf, krb5_data **code) (*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char)); if ((*code)->data == NULL) { free(*code); + *code = NULL; return ENOMEM; } for(i=0; i < (*code)->length; i++) diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c index 596997fe9..7457c0095 100644 --- a/src/lib/krb5/asn.1/krb5_decode.c +++ b/src/lib/krb5/asn.1/krb5_decode.c @@ -183,8 +183,10 @@ get_lenfield_body(len,var,decoder) #define cleanup(cleanup_routine)\ return 0; \ error_out: \ - if (rep && *rep) \ + if (rep && *rep) { \ cleanup_routine(*rep); \ + *rep = NULL; \ + } \ return retval; #define cleanup_none()\ @@ -233,6 +235,7 @@ error_out: free_field(*rep,checksum); free_field(*rep,client); free(*rep); + *rep = NULL; } return retval; } @@ -254,7 +257,7 @@ krb5_error_code decode_krb5_ticket(const krb5_data *code, krb5_ticket **rep) { begin_structure(); { krb5_kvno kvno; get_field(kvno,0,asn1_decode_kvno); - if(kvno != KVNO) return KRB5KDC_ERR_BAD_PVNO; + if(kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO); } alloc_field((*rep)->server,krb5_principal_data); get_field((*rep)->server,1,asn1_decode_realm); @@ -268,6 +271,7 @@ error_out: if (rep && *rep) { free_field(*rep,server); free(*rep); + *rep = NULL; } return retval; } @@ -320,6 +324,7 @@ error_out: free_field(*rep,session); free_field(*rep,client); free(*rep); + *rep = NULL; } return retval; } @@ -403,6 +408,7 @@ error_out: if (rep && *rep) { free_field(*rep,ticket); free(*rep); + *rep = NULL; } return retval; } @@ -451,6 +457,7 @@ error_out: if (rep && *rep) { free_field(*rep,subkey); free(*rep); + *rep = NULL; } return retval; } @@ -556,6 +563,7 @@ error_out: if (rep && *rep) { free_field(*rep,checksum); free(*rep); + *rep = NULL; } return retval; } @@ -614,6 +622,7 @@ error_out: free_field(*rep,r_address); free_field(*rep,s_address); free(*rep); + *rep = NULL; } return retval; } @@ -668,6 +677,7 @@ error_out: free_field(*rep,r_address); free_field(*rep,s_address); free(*rep); + *rep = NULL; } return retval; } @@ -713,6 +723,7 @@ error_out: free_field(*rep,server); free_field(*rep,client); free(*rep); + *rep = NULL; } return retval; } diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index 80192294e..6742d8a03 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -71,6 +71,8 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_dat /* now decode the decrypted stuff */ retval = decode_krb5_ap_rep_enc_part(&scratch, repl); + if (retval) + goto clean_scratch; /* Check reply fields */ if (((*repl)->ctime != auth_context->authentp->ctime) || diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index a5ffe1d4b..8fc60212c 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -270,6 +270,8 @@ send_again: if (!tcp_only) { krb5_error *err_reply; retval = decode_krb5_error(&rep->response, &err_reply); + if (retval) + goto send_tgs_error_3; if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { tcp_only = 1; krb5_free_error(context, err_reply); @@ -278,6 +280,8 @@ send_again: goto send_again; } krb5_free_error(context, err_reply); + send_tgs_error_3: + ; } rep->message_type = KRB5_ERROR; } else if (krb5_is_tgs_rep(&rep->response)) |