diff options
| author | Ken Raeburn <raeburn@mit.edu> | 2008-06-27 03:33:14 +0000 |
|---|---|---|
| committer | Ken Raeburn <raeburn@mit.edu> | 2008-06-27 03:33:14 +0000 |
| commit | 67828247e3af6b7c58ebc7bae9bb3479f2cb86a5 (patch) | |
| tree | b86d5baa8334b6703acf4913f1e18a4ae9a7d5c1 | |
| parent | f468121a1abec8c33d38712723f174a73229e68d (diff) | |
| download | krb5-67828247e3af6b7c58ebc7bae9bb3479f2cb86a5.zip krb5-67828247e3af6b7c58ebc7bae9bb3479f2cb86a5.tar.gz krb5-67828247e3af6b7c58ebc7bae9bb3479f2cb86a5.tar.bz2 | |
use-after-free bugs
Fix some bugs with storage being used immediately after being freed.
None look like anything an attacker can really manipulate AFAICT.
ticket: new
target_version: 1.6.4
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20485 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kadmin/server/server_stubs.c | 2 | ||||
| -rw-r--r-- | src/kdc/network.c | 2 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_cred.c | 2 | ||||
| -rw-r--r-- | src/slave/kprop.c | 4 |
4 files changed, 4 insertions, 6 deletions
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index cf93e86..a6435ac 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -1631,7 +1631,7 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) } if (ret.code != 0) - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + errmsg = krb5_get_error_message(NULL, ret.code); else errmsg = "success"; diff --git a/src/kdc/network.c b/src/kdc/network.c index 82b1c77..1072fce 100644 --- a/src/kdc/network.c +++ b/src/kdc/network.c @@ -1086,10 +1086,8 @@ static void process_packet(struct connection *conn, const char *prog, return; } if (cc != response->length) { - krb5_free_data(kdc_context, response); com_err(prog, 0, "short reply write %d vs %d\n", response->length, cc); - return; } krb5_free_data(kdc_context, response); return; diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index cb44647..3479aa2 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -183,8 +183,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, if ((pcred->tickets = (krb5_ticket **)malloc(sizeof(krb5_ticket *) * (ncred + 1))) == NULL) { - retval = ENOMEM; free(pcred); + return ENOMEM; } memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1)); diff --git a/src/slave/kprop.c b/src/slave/kprop.c index b2ea2c2..42bc8fb 100644 --- a/src/slave/kprop.c +++ b/src/slave/kprop.c @@ -1,7 +1,7 @@ /* * slave/kprop.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2008 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -505,12 +505,12 @@ open_database(context, data_fn, size) free(data_ok_fn); exit(1); } - free(data_ok_fn); if (stbuf.st_mtime > stbuf_ok.st_mtime) { com_err(progname, 0, "'%s' more recent than '%s'.", data_fn, data_ok_fn); exit(1); } + free(data_ok_fn); *size = stbuf.st_size; return(fd); } |