pull up r24429 from trunk

------------------------------------------------------------------------ r24429 | tlyu | 2010-10-05 17:05:19 -0400 (Tue, 05 Oct 2010) | 14 lines ticket: 6797 subject: CVE-2010-1322 KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006) tags: pullup target_version: 1.8.4 When the KDC receives certain TGS-REQ messages, it may dereference an uninitialized pointer while processing authorization data, causing a crash, or in rare cases, unauthorized information disclosure, ticket modification, or execution of arbitrary code. The crash may be triggered by legitimate requests. Correctly implement the filtering of authorization data items to avoid leaving uninitialized pointers when omitting items. ticket: 6797 status: resolved version_fixed: 1.8.4 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24431 dc483132-0cff-0310-8789-dd5450dbe970
author: Tom Yu <tlyu@mit.edu> 2010-10-05 22:32:34 +0000
committer: Tom Yu <tlyu@mit.edu> 2010-10-05 22:32:34 +0000
commit: 315147a989c6fde20e09a69711fda1bc5cc5fcaa (patch)
tree: 056845b89bd419763338ce37c8ea58a0ad797073
parent: 5fdc034739bd98df01309d0aae930c594db58710 (diff)
download: krb5-315147a989c6fde20e09a69711fda1bc5cc5fcaa.zip
krb5-315147a989c6fde20e09a69711fda1bc5cc5fcaa.tar.gz
krb5-315147a989c6fde20e09a69711fda1bc5cc5fcaa.tar.bz2
1 files changed, 4 insertions, 4 deletions
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index b5de64d..cc44e29 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -495,7 +495,7 @@ merge_authdata (krb5_context context,
                 krb5_boolean copy,
                 krb5_boolean ignore_kdc_issued)
 {
-    size_t i, nadata = 0;
+    size_t i, j, nadata = 0;
     krb5_authdata **authdata = *out_authdata;
 
     if (in_authdata == NULL || in_authdata[0] == NULL)
@@ -529,16 +529,16 @@ merge_authdata (krb5_context context,
         in_authdata = tmp;
     }
 
-    for (i = 0; in_authdata[i] != NULL; i++) {
+    for (i = 0, j = 0; in_authdata[i] != NULL; i++) {
         if (ignore_kdc_issued &&
             is_kdc_issued_authdatum(context, in_authdata[i], 0)) {
             free(in_authdata[i]->contents);
             free(in_authdata[i]);
         } else
-            authdata[nadata + i] = in_authdata[i];
+            authdata[nadata + j++] = in_authdata[i];
     }
 
-    authdata[nadata + i] = NULL;
+    authdata[nadata + j] = NULL;
 
     free(in_authdata);
author	Tom Yu <tlyu@mit.edu>	2010-10-05 22:32:34 +0000
committer	Tom Yu <tlyu@mit.edu>	2010-10-05 22:32:34 +0000
commit	315147a989c6fde20e09a69711fda1bc5cc5fcaa (patch)
tree	056845b89bd419763338ce37c8ea58a0ad797073
parent	5fdc034739bd98df01309d0aae930c594db58710 (diff)
download	krb5-315147a989c6fde20e09a69711fda1bc5cc5fcaa.zip krb5-315147a989c6fde20e09a69711fda1bc5cc5fcaa.tar.gz krb5-315147a989c6fde20e09a69711fda1bc5cc5fcaa.tar.bz2