pullup from trunk
authorTom Yu <tlyu@mit.edu>
Tue, 12 Jul 2005 20:59:52 +0000 (20:59 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 12 Jul 2005 20:59:52 +0000 (20:59 +0000)
ticket: 3120
version_fixed: 1.4.2

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-4@17300 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog
src/kdc/do_as_req.c
src/kdc/do_tgs_req.c
src/kdc/network.c
src/lib/krb5/krb/ChangeLog
src/lib/krb5/krb/unparse.c

index 69f392c5195ddbf0e0bb4e2ba33dfcbe52a01b8c..2774ff00eb04617e4ee5061295d1109e03289e4c 100644 (file)
@@ -1,3 +1,13 @@
+2005-07-12  Tom Yu  <tlyu@mit.edu>
+
+       * do_as_req.c (prepare_error_as):
+       * do_tgs_req.c (prepare_error_tgs): Free scratch only if no error,
+       to avoid double-free.  Thanks to Daniel Wachdorf for discovering
+       these.  Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1174,
+       VU#259798].
+
+       * network.c (process_packet): Initialize response to NULL.
+
 2004-09-23  Ken Raeburn  <raeburn@mit.edu>
 
        * network.c (closedown_network): Free each connection data
index 7f3efd8491a78bbca087d52cd4356938d4904ac6..a71922296adec6a029a64a128faa6d26ca7a5426 100644 (file)
@@ -524,6 +524,10 @@ prepare_error_as (krb5_kdc_req *request, int error, krb5_data *e_data,
 
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
-    *response = scratch;
+    if (retval)
+       free(scratch);
+    else 
+       *response = scratch;
+
     return retval;
 }
index 085e2855c0376d8835d3ceac634f2a64780719c5..8d1904208ff46ae04dd8ce689e87c83df76d854b 100644 (file)
@@ -722,7 +722,11 @@ prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error,
 
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
-    *response = scratch;
+    if (retval)
+       free(scratch);
+    else
+       *response = scratch;
+
     return retval;
 }
 
index d05057aca89bd2e41288e3c5b74dfb7683d97ac2..1610a350c7d76bfa390c613299466777f32a4ba9 100644 (file)
@@ -722,6 +722,7 @@ static void process_packet(struct connection *conn, const char *prog,
     char pktbuf[MAX_DGRAM_SIZE];
     int port_fd = conn->fd;
 
+    response = NULL;
     saddr_len = sizeof(saddr);
     cc = recvfrom(port_fd, pktbuf, sizeof(pktbuf), 0,
                  (struct sockaddr *)&saddr, &saddr_len);
index bca1601977c54d2865549d5c615d77e651b6be8e..f463e0debaf533ee27ee57682167b3131608a846 100644 (file)
@@ -1,3 +1,10 @@
+2005-07-12  Tom Yu  <tlyu@mit.edu>
+
+       * unparse.c (krb5_unparse_name_ext): Account for zero-component
+       principal, to avoid single-byte overflow.  Thanks to Daniel
+       Wachdorf.  Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1175,
+       VU#885830].
+
 2005-03-22  Tom Yu  <tlyu@mit.edu>
 
        * x-deltat.y (wsnum): Add missing semicolon following YYERROR,
index badb5bf9703f835ac0206e40148fdb1cfd1dc857..a67636641510b9df74dd05f40ae9e70730f67a72 100644 (file)
@@ -91,6 +91,8 @@ krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, regi
                                totalsize++;
                totalsize++;    /* This is for the separator */
        }
+       if (nelem == 0)
+               totalsize++;
 
        /*
         * Allocate space for the ascii string; if space has been