Merge in fix from ms-krb-integ branch to avoid modifying input data on aead_decrypt_compat

ticket: 6274
Status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21287 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 15 insertions, 4 deletions

diff --git a/src/lib/crypto/aead.c b/src/lib/crypto/aead.c
index 4debc984e..53dc65076 100644
--- a/src/lib/crypto/aead.c
+++ b/src/lib/crypto/aead.c
@@ -524,7 +524,12 @@ krb5int_c_decrypt_aead_compat(const struct krb5_aead_provider *aead,
     krb5_error_code ret;
 
     iov[0].flags = KRB5_CRYPTO_TYPE_STREAM;
-    iov[0].data = *input;
+    iov[0].data.data = malloc(input->length);
+    if (iov[0].data.data == NULL)
+	return ENOMEM;
+
+    memcpy(iov[0].data.data, input->data, input->length);
+    iov[0].data.length = input->length;
 
     iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
     iov[1].data.data = NULL;
@@ -534,14 +539,20 @@ krb5int_c_decrypt_aead_compat(const struct krb5_aead_provider *aead,
 				       usage, ivec,
 				       iov, sizeof(iov)/sizeof(iov[0]));
     if (ret != 0)
-	return ret;
+	goto cleanup;
 
-    if (output->length < iov[1].data.length)
-	return KRB5_BAD_MSIZE;
+    if (output->length < iov[1].data.length) {
+	ret = KRB5_BAD_MSIZE;
+	goto cleanup;
+    }
 
     memcpy(output->data, iov[1].data.data, iov[1].data.length);
     output->length = iov[1].data.length;
 
+cleanup:
+    zap(iov[0].data.data,  iov[0].data.length);
+    free(iov[0].data.data);
+
     return ret;
 }