fix MITKRB5-SA-2005-002 KDC double-free and heap overflow
authorTom Yu <tlyu@mit.edu>
Tue, 12 Jul 2005 19:56:56 +0000 (19:56 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 12 Jul 2005 19:56:56 +0000 (19:56 +0000)
Fix for MITKRB5-SA-2005-002

* KDC double-free [CAN-2005-1174, VU#259798]
* krb5_unparse_name heap overflow [CAN-2005-1175, VU#885830]

Thanks to Daniel Wachdorf.

ticket: new
flags: pullup
target_version: 1.4.2

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17298 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog
src/kdc/do_as_req.c
src/kdc/do_tgs_req.c
src/kdc/network.c
src/lib/krb5/krb/ChangeLog
src/lib/krb5/krb/unparse.c

index 8cbcf5bc16896d7f55576cd6e10a3c90027c7022..c723ab128060858c28c8ef1e0c82f21070f36336 100644 (file)
@@ -1,3 +1,13 @@
+2005-07-12  Tom Yu  <tlyu@mit.edu>
+
+       * do_as_req.c (prepare_error_as):
+       * do_tgs_req.c (prepare_error_tgs): Free scratch only if no error,
+       to avoid double-free.  Thanks to Daniel Wachdorf for discovering
+       these.  Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1174,
+       VU#259798].
+
+       * network.c (process_packet): Initialize response to NULL.
+
 2005-06-20  Ken Raeburn  <raeburn@mit.edu>
 
        * Makefile.in (KDB_DEP_LIB): Use DL_LIB and THREAD_LINKOPTS
index f292a17f8692201dfb0a58217601895319817f55..2916cfee0721717d80b485bb80c618e9b8b4d5ca 100644 (file)
@@ -523,6 +523,10 @@ prepare_error_as (krb5_kdc_req *request, int error, krb5_data *e_data,
 
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
-    *response = scratch;
+    if (retval)
+       free(scratch);
+    else 
+       *response = scratch;
+
     return retval;
 }
index 7aecb227ef9c09a257a71b3ae5ca216543c16eb0..d85d4b58cdc69ccc542dd74553e1d78502a3e6da 100644 (file)
@@ -721,7 +721,11 @@ prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error,
 
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
-    *response = scratch;
+    if (retval)
+       free(scratch);
+    else
+       *response = scratch;
+
     return retval;
 }
 
index 84a90b16fe4ee4d1f123f1cc83ead59a06261e90..658039a3eaff515dacc41a1a404581984eca8dc5 100644 (file)
@@ -721,6 +721,7 @@ static void process_packet(struct connection *conn, const char *prog,
     char pktbuf[MAX_DGRAM_SIZE];
     int port_fd = conn->fd;
 
+    response = NULL;
     saddr_len = sizeof(saddr);
     cc = recvfrom(port_fd, pktbuf, sizeof(pktbuf), 0,
                  (struct sockaddr *)&saddr, &saddr_len);
index e40681409ea6f9512aafbc760cf25f1f8dfb6b4f..ce0b970efa3521f9903c624ebd3d20fd023f9466 100644 (file)
@@ -1,3 +1,10 @@
+2005-07-12  Tom Yu  <tlyu@mit.edu>
+
+       * unparse.c (krb5_unparse_name_ext): Account for zero-component
+       principal, to avoid single-byte overflow.  Thanks to Daniel
+       Wachdorf.  Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1175,
+       VU#885830].
+
 2005-06-29  Ken Raeburn  <raeburn@mit.edu>
 
        * t_ser.c (ser_data): Don't initialize db serialization code that
index badb5bf9703f835ac0206e40148fdb1cfd1dc857..a67636641510b9df74dd05f40ae9e70730f67a72 100644 (file)
@@ -91,6 +91,8 @@ krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, regi
                                totalsize++;
                totalsize++;    /* This is for the separator */
        }
+       if (nelem == 0)
+               totalsize++;
 
        /*
         * Allocate space for the ascii string; if space has been