Fix for MITKRB5-SA-2005-002
* KDC double-free [CAN-2005-1174, VU#259798]
* krb5_unparse_name heap overflow [CAN-2005-1175, VU#885830]
Thanks to Daniel Wachdorf.
ticket: new
flags: pullup
target_version: 1.4.2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17298
dc483132-0cff-0310-8789-
dd5450dbe970
+2005-07-12 Tom Yu <tlyu@mit.edu>
+
+ * do_as_req.c (prepare_error_as):
+ * do_tgs_req.c (prepare_error_tgs): Free scratch only if no error,
+ to avoid double-free. Thanks to Daniel Wachdorf for discovering
+ these. Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1174,
+ VU#259798].
+
+ * network.c (process_packet): Initialize response to NULL.
+
2005-06-20 Ken Raeburn <raeburn@mit.edu>
* Makefile.in (KDB_DEP_LIB): Use DL_LIB and THREAD_LINKOPTS
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
- *response = scratch;
+ if (retval)
+ free(scratch);
+ else
+ *response = scratch;
+
return retval;
}
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
- *response = scratch;
+ if (retval)
+ free(scratch);
+ else
+ *response = scratch;
+
return retval;
}
char pktbuf[MAX_DGRAM_SIZE];
int port_fd = conn->fd;
+ response = NULL;
saddr_len = sizeof(saddr);
cc = recvfrom(port_fd, pktbuf, sizeof(pktbuf), 0,
(struct sockaddr *)&saddr, &saddr_len);
+2005-07-12 Tom Yu <tlyu@mit.edu>
+
+ * unparse.c (krb5_unparse_name_ext): Account for zero-component
+ principal, to avoid single-byte overflow. Thanks to Daniel
+ Wachdorf. Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1175,
+ VU#885830].
+
2005-06-29 Ken Raeburn <raeburn@mit.edu>
* t_ser.c (ser_data): Don't initialize db serialization code that
totalsize++;
totalsize++; /* This is for the separator */
}
+ if (nelem == 0)
+ totalsize++;
/*
* Allocate space for the ascii string; if space has been