From 7cca8501d6499a0678ddb0747eefd4daa57ae28b Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Tue, 31 Aug 2004 19:11:43 +0000
Subject: pullup from trunk

ticket: 2686
version_fixed: 1.3.5

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-3@16704 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/clients/klist/ChangeLog      |  4 ++++
 src/clients/klist/klist.c        |  8 +++++++-
 src/krb524/ChangeLog             |  4 ++++
 src/krb524/krb524d.c             |  4 +++-
 src/lib/krb5/asn.1/ChangeLog     |  5 +++++
 src/lib/krb5/asn.1/asn1buf.c     |  1 +
 src/lib/krb5/asn.1/krb5_decode.c | 15 +++++++++++++--
 src/lib/krb5/krb/ChangeLog       |  5 +++++
 src/lib/krb5/krb/rd_rep.c        |  2 ++
 src/lib/krb5/krb/send_tgs.c      |  4 ++++
 10 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/src/clients/klist/ChangeLog b/src/clients/klist/ChangeLog
index 1355c1d..d9cd143 100644
--- a/src/clients/klist/ChangeLog
+++ b/src/clients/klist/ChangeLog
@@ -1,3 +1,7 @@
+2004-08-31  Tom Yu  <tlyu@mit.edu>
+
+	* klist.c: Fix double-free vulnerabilities.
+
 2002-08-29  Ken Raeburn  <raeburn@mit.edu>
 
 	* Makefile.in: Revert $(S)=>/ change, for Windows support.
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index c3dac27..aae6262 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -614,6 +614,9 @@ show_credential(cred)
 
     if (show_etype) {
 	retval = krb5_decode_ticket(&cred->ticket, &tkt);
+	if (retval)
+	    goto err_tkt;
+
 	if (!extra_field)
 	    fputs("\t",stdout);
 	else
@@ -622,8 +625,11 @@ show_credential(cred)
 	       etype_string(cred->keyblock.enctype));
 	printf("%s ",
 	       etype_string(tkt->enc_part.enctype));
-	krb5_free_ticket(kcontext, tkt);
 	extra_field++;
+
+    err_tkt:
+	if (tkt != NULL)
+	    krb5_free_ticket(kcontext, tkt);
     }
 
     /* if any additional info was printed, extra_field is non-zero */
diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog
index 2c62781..25b5689 100644
--- a/src/krb524/ChangeLog
+++ b/src/krb524/ChangeLog
@@ -1,3 +1,7 @@
+2004-08-31  Tom Yu  <tlyu@mit.edu>
+
+	* krb524d.c: Fix double-free vulnerabilities.
+
 2003-09-02  Tom Yu  <tlyu@mit.edu>
 
 	* cnv_tkt_skey.c (krb524_convert_tkt_skey): Apply patch from Cesar
diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c
index a5d05c5..ca1627c 100644
--- a/src/krb524/krb524d.c
+++ b/src/krb524/krb524d.c
@@ -582,8 +582,10 @@ ret =  KRB5KDC_ERR_POLICY ;
 	  printf("v4 credentials encoded\n");
 
  error:
-     if (v5tkt->enc_part2)
+     if (v5tkt->enc_part2) {
 	 krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
+	 v5tkt->enc_part2 = NULL;
+     }
 
      if(v5_service_key.contents)
        krb5_free_keyblock_contents(context, &v5_service_key);
diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog
index 18e4c07..d03af53 100644
--- a/src/lib/krb5/asn.1/ChangeLog
+++ b/src/lib/krb5/asn.1/ChangeLog
@@ -1,3 +1,8 @@
+2004-08-31  Tom Yu  <tlyu@mit.edu>
+
+	* asn1buf.c:
+	* krb5_decode.c: Fix double-free vulnerabilities.
+
 2003-10-08  Tom Yu  <tlyu@mit.edu>
 
 	* asn1_k_encode.c (asn1_encode_krb_saved_safe_body): New function;
diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
index 47e1902..566d41e 100644
--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
@@ -255,6 +255,7 @@ asn1_error_code asn12krb5_buf(const asn1buf *buf, krb5_data **code)
   (*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char));
   if ((*code)->data == NULL) {
     free(*code);
+    *code = NULL;
     return ENOMEM;
   }
   for(i=0; i < (*code)->length; i++)
diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c
index 596997f..7457c00 100644
--- a/src/lib/krb5/asn.1/krb5_decode.c
+++ b/src/lib/krb5/asn.1/krb5_decode.c
@@ -183,8 +183,10 @@ get_lenfield_body(len,var,decoder)
 #define cleanup(cleanup_routine)\
    return 0; \
 error_out: \
-   if (rep && *rep) \
+   if (rep && *rep) { \
 	cleanup_routine(*rep); \
+	*rep = NULL; \
+   } \
    return retval;
 
 #define cleanup_none()\
@@ -233,6 +235,7 @@ error_out:
       free_field(*rep,checksum);
       free_field(*rep,client);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -254,7 +257,7 @@ krb5_error_code decode_krb5_ticket(const krb5_data *code, krb5_ticket **rep)
   { begin_structure();
     { krb5_kvno kvno;
       get_field(kvno,0,asn1_decode_kvno);
-      if(kvno != KVNO) return KRB5KDC_ERR_BAD_PVNO;
+      if(kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO);
     }
     alloc_field((*rep)->server,krb5_principal_data);
     get_field((*rep)->server,1,asn1_decode_realm);
@@ -268,6 +271,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,server);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -320,6 +324,7 @@ error_out:
       free_field(*rep,session);
       free_field(*rep,client);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -403,6 +408,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,ticket);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -451,6 +457,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,subkey);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -556,6 +563,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,checksum);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -614,6 +622,7 @@ error_out:
       free_field(*rep,r_address);
       free_field(*rep,s_address);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -668,6 +677,7 @@ error_out:
       free_field(*rep,r_address);
       free_field(*rep,s_address);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -713,6 +723,7 @@ error_out:
       free_field(*rep,server);
       free_field(*rep,client);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 274245a..bd470c1 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,8 @@
+2004-08-31  Tom Yu  <tlyu@mit.edu>
+
+	* rd_rep.c:
+	* send_tgs.c: Fix double-free vulnerabilities.
+
 2004-05-12  Jeffrey Altman <jaltman@mit.edu>
 
     * send_tgs.c: krb5_send_tgs() was broken in the case of a KRB_ERROR
diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c
index 8019229..6742d8a 100644
--- a/src/lib/krb5/krb/rd_rep.c
+++ b/src/lib/krb5/krb/rd_rep.c
@@ -71,6 +71,8 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_dat
 
     /* now decode the decrypted stuff */
     retval = decode_krb5_ap_rep_enc_part(&scratch, repl);
+    if (retval)
+	goto clean_scratch;
 
     /* Check reply fields */
     if (((*repl)->ctime != auth_context->authentp->ctime) ||
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c
index 34a98c0..8239a1a 100644
--- a/src/lib/krb5/krb/send_tgs.c
+++ b/src/lib/krb5/krb/send_tgs.c
@@ -269,6 +269,8 @@ send_again:
 	    if (!tcp_only) {
 		krb5_error *err_reply;
 		retval = decode_krb5_error(&rep->response, &err_reply);
+		if (retval)
+		    goto send_tgs_error_3;
 		if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) {
 		    tcp_only = 1;
 		    krb5_free_error(context, err_reply);
@@ -277,6 +279,8 @@ send_again:
 		    goto send_again;
 		}
 		krb5_free_error(context, err_reply);
+	    send_tgs_error_3:
+		;
 	    }
 	    rep->message_type = KRB5_ERROR;
 	} else if (krb5_is_tgs_rep(&rep->response))
-- 
cgit v1.1