diff options
author | Greg Hudson <ghudson@mit.edu> | 2014-12-27 14:16:13 -0500 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2015-02-04 15:36:12 -0500 |
commit | d89dde02db71ba3ff0377e12e485f47537d43798 (patch) | |
tree | 0abe9ef5a66d517ed8f8abdada9ba2a3f474e56a | |
parent | 3cfd4bd9e7c09c3b9024d83ab6e3bba2218eb48b (diff) | |
download | krb5-d89dde02db71ba3ff0377e12e485f47537d43798.zip krb5-d89dde02db71ba3ff0377e12e485f47537d43798.tar.gz krb5-d89dde02db71ba3ff0377e12e485f47537d43798.tar.bz2 |
Fix kadm5/gssrpc XDR double free [CVE-2014-9421]
[MITKRB5-SA-2015-001] In auth_gssapi_unwrap_data(), do not free
partial deserialization results upon failure to deserialize. This
responsibility belongs to the callers, svctcp_getargs() and
svcudp_getargs(); doing it in the unwrap function results in freeing
the results twice.
In xdr_krb5_tl_data() and xdr_krb5_principal(), null out the pointers
we are freeing, as other XDR functions such as xdr_bytes() and
xdr_string().
(cherry picked from commit a197e92349a4aa2141b5dff12e9dd44c2a2166e3)
ticket: 8056
version_fixed: 1.13.1
status: resolved
-rw-r--r-- | src/lib/kadm5/kadm_rpc_xdr.c | 2 | ||||
-rw-r--r-- | src/lib/rpc/auth_gssapi_misc.c | 1 |
2 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c index 42ac783..975f94c 100644 --- a/src/lib/kadm5/kadm_rpc_xdr.c +++ b/src/lib/kadm5/kadm_rpc_xdr.c @@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head) free(tl); tl = tl2; } + *tl_data_head = NULL; break; case XDR_ENCODE: @@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp) case XDR_FREE: if(*objp != NULL) krb5_free_principal(context, *objp); + *objp = NULL; break; } return TRUE; diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c index 53bdb98..a05ea19 100644 --- a/src/lib/rpc/auth_gssapi_misc.c +++ b/src/lib/rpc/auth_gssapi_misc.c @@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data( if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) { PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n")); gss_release_buffer(minor, &out_buf); - xdr_free(xdr_func, xdr_ptr); XDR_DESTROY(&temp_xdrs); return FALSE; } |