aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Yu <tlyu@mit.edu>2004-12-20 21:25:36 +0000
committerTom Yu <tlyu@mit.edu>2004-12-20 21:25:36 +0000
commit73945e696e5b93206624dd3ed69a5e6f661b4ed4 (patch)
tree723df7772ef36c153417714418275b8db9239229
parent3838c5d63c67d8f3e1e31746498ea113133f3bb7 (diff)
downloadkrb5-73945e696e5b93206624dd3ed69a5e6f661b4ed4.zip
krb5-73945e696e5b93206624dd3ed69a5e6f661b4ed4.tar.gz
krb5-73945e696e5b93206624dd3ed69a5e6f661b4ed4.tar.bz2
pullup from trunk
ticket: 2841 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-3@16966 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat
-rw-r--r--src/lib/kadm5/srv/ChangeLog8
-rw-r--r--src/lib/kadm5/srv/svr_principal.c11
-rw-r--r--src/tests/dejagnu/krb-standalone/ChangeLog7
3 files changed, 25 insertions, 1 deletions
diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog
index eea6987..7e63762 100644
--- a/src/lib/kadm5/srv/ChangeLog
+++ b/src/lib/kadm5/srv/ChangeLog
@@ -1,3 +1,11 @@
+2004-12-20 Tom Yu <tlyu@mit.edu>
+
+ * svr_principal.c (add_to_history): Fix buffer overflow case where
+ the next pointer points into unallocated space but resizing wasn't
+ done, i.e., when someone decreases the policy history count to the
+ exact "right" number. Fix some memory leaks. To avoid losing
+ entries, shift some entries forward after growing the array.
+
2003-09-02 Alexandra Ellwood <lxs@mit.edu>
* svr_principal.c: Added Apple password server support.
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index c567f83..ce6c63b 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1017,6 +1017,9 @@ static kadm5_ret_t add_to_history(krb5_context context,
memset(&adb->old_keys[adb->old_key_len],0,sizeof(osa_pw_hist_ent));
adb->old_key_len++;
+ for (i = adb->old_key_len - 1; i > adb->old_key_next; i--)
+ adb->old_keys[i] = adb->old_keys[i - 1];
+ memset(&adb->old_keys[adb->old_key_next],0,sizeof(osa_pw_hist_ent));
} else if (adb->old_key_len > pol->pw_history_num-1) {
/*
* The policy must have changed! Shrink the array.
@@ -1039,10 +1042,12 @@ static kadm5_ret_t add_to_history(krb5_context context,
histp[i] = adb->old_keys[j];
}
/* Now free the ones we don't keep (the oldest ones) */
- for (i = 0; i < adb->old_key_len - (pol->pw_history_num - 1); i++)
+ for (i = 0; i < adb->old_key_len - (pol->pw_history_num-1); i++) {
for (j = 0; j < adb->old_keys[KADM_MOD(i)].n_key_data; j++)
krb5_free_key_data_contents(context,
&adb->old_keys[KADM_MOD(i)].key_data[j]);
+ free(adb->old_keys[KADM_MOD(i)].key_data);
+ }
free((void *)adb->old_keys);
adb->old_keys = histp;
adb->old_key_len = pol->pw_history_num - 1;
@@ -1052,10 +1057,14 @@ static kadm5_ret_t add_to_history(krb5_context context,
}
}
+ if (adb->old_key_next + 1 > adb->old_key_len)
+ adb->old_key_next = 0;
+
/* free the old pw history entry if it contains data */
histp = &adb->old_keys[adb->old_key_next];
for (i = 0; i < histp->n_key_data; i++)
krb5_free_key_data_contents(context, &histp->key_data[i]);
+ free(histp->key_data);
/* store the new entry */
adb->old_keys[adb->old_key_next] = *pw;
diff --git a/src/tests/dejagnu/krb-standalone/ChangeLog b/src/tests/dejagnu/krb-standalone/ChangeLog
index 9755ebf..8a14369 100644
--- a/src/tests/dejagnu/krb-standalone/ChangeLog
+++ b/src/tests/dejagnu/krb-standalone/ChangeLog
@@ -1,3 +1,10 @@
+2004-12-20 Tom Yu <tlyu@mit.edu>
+
+ * pwhist.exp: New file. Perform some sanity checking on password
+ history mechanism, including erroneous loss of history when
+ growing the history array. Also tries to trigger some known
+ buffer overflows and memory leaks.
+
2004-02-09 Ken Raeburn <raeburn@mit.edu>
* gssapi.exp (doit): Run server with additional options to export
generated by cgit v1.1 at 2024-08-01 06:54:24 +0000