From d3c5450ddf0b20855e86dab41735d56c6860156b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 10 Dec 2012 14:18:30 -0500
Subject: Fix various integer issues

In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values.  In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow.  In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow.  In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.

Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.

ticket: 7488
---
 src/plugins/preauth/pkinit/pkinit_clnt.c | 43 +++++++++-----------------------
 1 file changed, 12 insertions(+), 31 deletions(-)

(limited to 'src/plugins')

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 7a069c1ed..75b97c6a8 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1406,40 +1406,21 @@ pkinit_client_plugin_fini(krb5_context context, krb5_clpreauth_moddata moddata)
 static krb5_error_code
 add_string_to_array(krb5_context context, char ***array, const char *addition)
 {
-    char **out = NULL;
-
-    if (*array == NULL) {
-        out = malloc(2 * sizeof(char *));
-        if (out == NULL)
-            return ENOMEM;
-        out[1] = NULL;
-        out[0] = strdup(addition);
-        if (out[0] == NULL) {
-            free(out);
-            return ENOMEM;
-        }
-    } else {
-        int i;
-        char **a = *array;
-        for (i = 0; a[i] != NULL; i++);
-        out = malloc( (i + 2) * sizeof(char *));
-        if (out == NULL)
-            return ENOMEM;
-        for (i = 0; a[i] != NULL; i++) {
-            out[i] = a[i];
-        }
-        out[i++] = strdup(addition);
-        if (out == NULL) {
-            free(out);
-            return ENOMEM;
-        }
-        out[i] = NULL;
-        free(*array);
-    }
-    *array = out;
+    char **a = *array;
+    size_t len;
 
+    for (len = 0; a != NULL && a[len] != NULL; len++);
+    a = realloc(a, (len + 2) * sizeof(char *));
+    if (a == NULL)
+        return ENOMEM;
+    *array = a;
+    a[len] = strdup(addition);
+    if (a[len] == NULL)
+        return ENOMEM;
+    a[len + 1] = NULL;
     return 0;
 }
+
 static krb5_error_code
 handle_gic_opt(krb5_context context,
                pkinit_context plgctx,
-- 
cgit