Fix the sole case in process_chpw_request() where a return could occur

without allocating the data pointer in the response.  This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().

Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.

ticket: 6899
tags: pullup
target_version: 1.9.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24878 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 12 insertions, 2 deletions

diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
index d12c5075b..ca0710754 100644
--- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab,
 
     ret = 0;
     rep->length = 0;
+    rep->data = NULL;
 
     auth_context = NULL;
     changepw = NULL;
@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab,
     plen = (*ptr++ & 0xff);
     plen = (plen<<8) | (*ptr++ & 0xff);
 
-    if (plen != req->length)
-        return(KRB5KRB_AP_ERR_MODIFIED);
+    if (plen != req->length) {
+        ret = KRB5KRB_AP_ERR_MODIFIED;
+        numresult = KRB5_KPASSWD_MALFORMED;
+        strlcpy(strresult, "Request length was inconsistent",
+                sizeof(strresult));
+        goto chpwfail;
+    }
 
     /* verify version number */
 
@@ -534,6 +540,10 @@ cleanup:
     if (local_kaddrs != NULL)
         krb5_free_addresses(server_handle->context, local_kaddrs);
 
+    if ((*response)->data == NULL) {
+        free(*response);
+        *response = NULL;
+    }
     krb5_kt_close(server_handle->context, kt);
 
     return ret;