diff options
| author | Tom Yu <tlyu@mit.edu> | 2004-08-31 19:11:43 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2004-08-31 19:11:43 +0000 |
| commit | 7cca8501d6499a0678ddb0747eefd4daa57ae28b (patch) | |
| tree | 5e6aacd6a44cdd9659a47af5d6e648686f505feb | |
| parent | 5e7deafdac03e623f33ffa8060ab0cd51f40213e (diff) | |
| download | krb5-7cca8501d6499a0678ddb0747eefd4daa57ae28b.zip krb5-7cca8501d6499a0678ddb0747eefd4daa57ae28b.tar.gz krb5-7cca8501d6499a0678ddb0747eefd4daa57ae28b.tar.bz2 | |
pullup from trunk
ticket: 2686
version_fixed: 1.3.5
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-3@16704 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/clients/klist/ChangeLog | 4 | ||||
| -rw-r--r-- | src/clients/klist/klist.c | 8 | ||||
| -rw-r--r-- | src/krb524/ChangeLog | 4 | ||||
| -rw-r--r-- | src/krb524/krb524d.c | 4 | ||||
| -rw-r--r-- | src/lib/krb5/asn.1/ChangeLog | 5 | ||||
| -rw-r--r-- | src/lib/krb5/asn.1/asn1buf.c | 1 | ||||
| -rw-r--r-- | src/lib/krb5/asn.1/krb5_decode.c | 15 | ||||
| -rw-r--r-- | src/lib/krb5/krb/ChangeLog | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_rep.c | 2 | ||||
| -rw-r--r-- | src/lib/krb5/krb/send_tgs.c | 4 |
10 files changed, 48 insertions, 4 deletions
diff --git a/src/clients/klist/ChangeLog b/src/clients/klist/ChangeLog index 1355c1d..d9cd143 100644 --- a/src/clients/klist/ChangeLog +++ b/src/clients/klist/ChangeLog @@ -1,3 +1,7 @@ +2004-08-31 Tom Yu <tlyu@mit.edu> + + * klist.c: Fix double-free vulnerabilities. + 2002-08-29 Ken Raeburn <raeburn@mit.edu> * Makefile.in: Revert $(S)=>/ change, for Windows support. diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c index c3dac27..aae6262 100644 --- a/src/clients/klist/klist.c +++ b/src/clients/klist/klist.c @@ -614,6 +614,9 @@ show_credential(cred) if (show_etype) { retval = krb5_decode_ticket(&cred->ticket, &tkt); + if (retval) + goto err_tkt; + if (!extra_field) fputs("\t",stdout); else @@ -622,8 +625,11 @@ show_credential(cred) etype_string(cred->keyblock.enctype)); printf("%s ", etype_string(tkt->enc_part.enctype)); - krb5_free_ticket(kcontext, tkt); extra_field++; + + err_tkt: + if (tkt != NULL) + krb5_free_ticket(kcontext, tkt); } /* if any additional info was printed, extra_field is non-zero */ diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index 2c62781..25b5689 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,7 @@ +2004-08-31 Tom Yu <tlyu@mit.edu> + + * krb524d.c: Fix double-free vulnerabilities. + 2003-09-02 Tom Yu <tlyu@mit.edu> * cnv_tkt_skey.c (krb524_convert_tkt_skey): Apply patch from Cesar diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c index a5d05c5..ca1627c 100644 --- a/src/krb524/krb524d.c +++ b/src/krb524/krb524d.c @@ -582,8 +582,10 @@ ret = KRB5KDC_ERR_POLICY ; printf("v4 credentials encoded\n"); error: - if (v5tkt->enc_part2) + if (v5tkt->enc_part2) { krb5_free_enc_tkt_part(context, v5tkt->enc_part2); + v5tkt->enc_part2 = NULL; + } if(v5_service_key.contents) krb5_free_keyblock_contents(context, &v5_service_key); diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog index 18e4c07..d03af53 100644 --- a/src/lib/krb5/asn.1/ChangeLog +++ b/src/lib/krb5/asn.1/ChangeLog @@ -1,3 +1,8 @@ +2004-08-31 Tom Yu <tlyu@mit.edu> + + * asn1buf.c: + * krb5_decode.c: Fix double-free vulnerabilities. + 2003-10-08 Tom Yu <tlyu@mit.edu> * asn1_k_encode.c (asn1_encode_krb_saved_safe_body): New function; diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c index 47e1902..566d41e 100644 --- a/src/lib/krb5/asn.1/asn1buf.c +++ b/src/lib/krb5/asn.1/asn1buf.c @@ -255,6 +255,7 @@ asn1_error_code asn12krb5_buf(const asn1buf *buf, krb5_data **code) (*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char)); if ((*code)->data == NULL) { free(*code); + *code = NULL; return ENOMEM; } for(i=0; i < (*code)->length; i++) diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c index 596997f..7457c00 100644 --- a/src/lib/krb5/asn.1/krb5_decode.c +++ b/src/lib/krb5/asn.1/krb5_decode.c @@ -183,8 +183,10 @@ get_lenfield_body(len,var,decoder) #define cleanup(cleanup_routine)\ return 0; \ error_out: \ - if (rep && *rep) \ + if (rep && *rep) { \ cleanup_routine(*rep); \ + *rep = NULL; \ + } \ return retval; #define cleanup_none()\ @@ -233,6 +235,7 @@ error_out: free_field(*rep,checksum); free_field(*rep,client); free(*rep); + *rep = NULL; } return retval; } @@ -254,7 +257,7 @@ krb5_error_code decode_krb5_ticket(const krb5_data *code, krb5_ticket **rep) { begin_structure(); { krb5_kvno kvno; get_field(kvno,0,asn1_decode_kvno); - if(kvno != KVNO) return KRB5KDC_ERR_BAD_PVNO; + if(kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO); } alloc_field((*rep)->server,krb5_principal_data); get_field((*rep)->server,1,asn1_decode_realm); @@ -268,6 +271,7 @@ error_out: if (rep && *rep) { free_field(*rep,server); free(*rep); + *rep = NULL; } return retval; } @@ -320,6 +324,7 @@ error_out: free_field(*rep,session); free_field(*rep,client); free(*rep); + *rep = NULL; } return retval; } @@ -403,6 +408,7 @@ error_out: if (rep && *rep) { free_field(*rep,ticket); free(*rep); + *rep = NULL; } return retval; } @@ -451,6 +457,7 @@ error_out: if (rep && *rep) { free_field(*rep,subkey); free(*rep); + *rep = NULL; } return retval; } @@ -556,6 +563,7 @@ error_out: if (rep && *rep) { free_field(*rep,checksum); free(*rep); + *rep = NULL; } return retval; } @@ -614,6 +622,7 @@ error_out: free_field(*rep,r_address); free_field(*rep,s_address); free(*rep); + *rep = NULL; } return retval; } @@ -668,6 +677,7 @@ error_out: free_field(*rep,r_address); free_field(*rep,s_address); free(*rep); + *rep = NULL; } return retval; } @@ -713,6 +723,7 @@ error_out: free_field(*rep,server); free_field(*rep,client); free(*rep); + *rep = NULL; } return retval; } diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 274245a..bd470c1 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,8 @@ +2004-08-31 Tom Yu <tlyu@mit.edu> + + * rd_rep.c: + * send_tgs.c: Fix double-free vulnerabilities. + 2004-05-12 Jeffrey Altman <jaltman@mit.edu> * send_tgs.c: krb5_send_tgs() was broken in the case of a KRB_ERROR diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index 8019229..6742d8a 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -71,6 +71,8 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_dat /* now decode the decrypted stuff */ retval = decode_krb5_ap_rep_enc_part(&scratch, repl); + if (retval) + goto clean_scratch; /* Check reply fields */ if (((*repl)->ctime != auth_context->authentp->ctime) || diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 34a98c0..8239a1a 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -269,6 +269,8 @@ send_again: if (!tcp_only) { krb5_error *err_reply; retval = decode_krb5_error(&rep->response, &err_reply); + if (retval) + goto send_tgs_error_3; if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { tcp_only = 1; krb5_free_error(context, err_reply); @@ -277,6 +279,8 @@ send_again: goto send_again; } krb5_free_error(context, err_reply); + send_tgs_error_3: + ; } rep->message_type = KRB5_ERROR; } else if (krb5_is_tgs_rep(&rep->response)) |