diff options
author | Tom Yu <tlyu@mit.edu> | 2004-12-20 21:25:36 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2004-12-20 21:25:36 +0000 |
commit | 73945e696e5b93206624dd3ed69a5e6f661b4ed4 (patch) | |
tree | 723df7772ef36c153417714418275b8db9239229 | |
parent | 3838c5d63c67d8f3e1e31746498ea113133f3bb7 (diff) | |
download | krb5-73945e696e5b93206624dd3ed69a5e6f661b4ed4.zip krb5-73945e696e5b93206624dd3ed69a5e6f661b4ed4.tar.gz krb5-73945e696e5b93206624dd3ed69a5e6f661b4ed4.tar.bz2 |
pullup from trunk
ticket: 2841
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-3@16966 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/kadm5/srv/ChangeLog | 8 | ||||
-rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 11 | ||||
-rw-r--r-- | src/tests/dejagnu/krb-standalone/ChangeLog | 7 |
3 files changed, 25 insertions, 1 deletions
diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog index eea6987..7e63762 100644 --- a/src/lib/kadm5/srv/ChangeLog +++ b/src/lib/kadm5/srv/ChangeLog @@ -1,3 +1,11 @@ +2004-12-20 Tom Yu <tlyu@mit.edu> + + * svr_principal.c (add_to_history): Fix buffer overflow case where + the next pointer points into unallocated space but resizing wasn't + done, i.e., when someone decreases the policy history count to the + exact "right" number. Fix some memory leaks. To avoid losing + entries, shift some entries forward after growing the array. + 2003-09-02 Alexandra Ellwood <lxs@mit.edu> * svr_principal.c: Added Apple password server support. diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index c567f83..ce6c63b 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -1017,6 +1017,9 @@ static kadm5_ret_t add_to_history(krb5_context context, memset(&adb->old_keys[adb->old_key_len],0,sizeof(osa_pw_hist_ent)); adb->old_key_len++; + for (i = adb->old_key_len - 1; i > adb->old_key_next; i--) + adb->old_keys[i] = adb->old_keys[i - 1]; + memset(&adb->old_keys[adb->old_key_next],0,sizeof(osa_pw_hist_ent)); } else if (adb->old_key_len > pol->pw_history_num-1) { /* * The policy must have changed! Shrink the array. @@ -1039,10 +1042,12 @@ static kadm5_ret_t add_to_history(krb5_context context, histp[i] = adb->old_keys[j]; } /* Now free the ones we don't keep (the oldest ones) */ - for (i = 0; i < adb->old_key_len - (pol->pw_history_num - 1); i++) + for (i = 0; i < adb->old_key_len - (pol->pw_history_num-1); i++) { for (j = 0; j < adb->old_keys[KADM_MOD(i)].n_key_data; j++) krb5_free_key_data_contents(context, &adb->old_keys[KADM_MOD(i)].key_data[j]); + free(adb->old_keys[KADM_MOD(i)].key_data); + } free((void *)adb->old_keys); adb->old_keys = histp; adb->old_key_len = pol->pw_history_num - 1; @@ -1052,10 +1057,14 @@ static kadm5_ret_t add_to_history(krb5_context context, } } + if (adb->old_key_next + 1 > adb->old_key_len) + adb->old_key_next = 0; + /* free the old pw history entry if it contains data */ histp = &adb->old_keys[adb->old_key_next]; for (i = 0; i < histp->n_key_data; i++) krb5_free_key_data_contents(context, &histp->key_data[i]); + free(histp->key_data); /* store the new entry */ adb->old_keys[adb->old_key_next] = *pw; diff --git a/src/tests/dejagnu/krb-standalone/ChangeLog b/src/tests/dejagnu/krb-standalone/ChangeLog index 9755ebf..8a14369 100644 --- a/src/tests/dejagnu/krb-standalone/ChangeLog +++ b/src/tests/dejagnu/krb-standalone/ChangeLog @@ -1,3 +1,10 @@ +2004-12-20 Tom Yu <tlyu@mit.edu> + + * pwhist.exp: New file. Perform some sanity checking on password + history mechanism, including erroneous loss of history when + growing the history array. Also tries to trigger some known + buffer overflows and memory leaks. + 2004-02-09 Ken Raeburn <raeburn@mit.edu> * gssapi.exp (doit): Run server with additional options to export |