fix MITKRB5-SA-2004-002
authorTom Yu <tlyu@mit.edu>
Tue, 31 Aug 2004 18:52:26 +0000 (18:52 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 31 Aug 2004 18:52:26 +0000 (18:52 +0000)
Fix double-free vulnerabilities [MITKRB5-SA-2004-002].

ticket: new
target_version: 1.3.5
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16701 dc483132-0cff-0310-8789-dd5450dbe970

src/clients/klist/ChangeLog
src/clients/klist/klist.c
src/krb524/ChangeLog
src/krb524/krb524d.c
src/lib/krb5/asn.1/ChangeLog
src/lib/krb5/asn.1/asn1buf.c
src/lib/krb5/asn.1/krb5_decode.c
src/lib/krb5/krb/rd_rep.c
src/lib/krb5/krb/send_tgs.c

index f6b73d86be5d90203c4d6f143ba2e66244da8eca..3fb4ec1b3990329db9d36b65a67c11b54a46d231 100644 (file)
@@ -1,3 +1,7 @@
+2004-08-31  Tom Yu  <tlyu@mit.edu>
+
+       * klist.c: Fix double-free vulnerabilities.
+
 2004-07-11  Ken Raeburn  <raeburn@mit.edu>
 
        * klist.c: Include autoconf.h before network headers.
index 368f799b7d61b596da696284ecf9cd80c21ef2ad..8a70e06852623b7f7689cd3b6d1b323f2d0f7df4 100644 (file)
@@ -616,6 +616,9 @@ show_credential(cred)
 
     if (show_etype) {
        retval = krb5_decode_ticket(&cred->ticket, &tkt);
+       if (retval)
+           goto err_tkt;
+
        if (!extra_field)
            fputs("\t",stdout);
        else
@@ -624,8 +627,11 @@ show_credential(cred)
               etype_string(cred->keyblock.enctype));
        printf("%s ",
               etype_string(tkt->enc_part.enctype));
-       krb5_free_ticket(kcontext, tkt);
        extra_field++;
+
+    err_tkt:
+       if (tkt != NULL)
+           krb5_free_ticket(kcontext, tkt);
     }
 
     /* if any additional info was printed, extra_field is non-zero */
index f7601ff83441a51d1f5f76b667debcb1176588aa..e36bff904307093dbaff0d62b5803f9b576a5fce 100644 (file)
@@ -1,3 +1,7 @@
+2004-08-31  Tom Yu  <tlyu@mit.edu>
+
+       * krb524d.c: Fix double-free vulnerabilities.
+
 2004-08-08  Ken Raeburn  <raeburn@mit.edu>
 
        * krb524d.c (do_connection): Use socklen_t for the size of the
index ba9be957f854045e518bc1d63b225a7b8a0f5bb1..5b3641bcc278f01bc4f86aaa52e2b9c67a85bb14 100644 (file)
@@ -583,8 +583,10 @@ ret =  KRB5KDC_ERR_POLICY ;
          printf("v4 credentials encoded\n");
 
  error:
-     if (v5tkt->enc_part2)
+     if (v5tkt->enc_part2) {
         krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
+        v5tkt->enc_part2 = NULL;
+     }
 
      if(v5_service_key.contents)
        krb5_free_keyblock_contents(context, &v5_service_key);
index ce20ff65c40f31de40e7adb44e05d23091d493e2..fd0bf2daf577c757a5ff1bc23054a45c90b8e107 100644 (file)
@@ -1,3 +1,8 @@
+2004-08-31  Tom Yu  <tlyu@mit.edu>
+
+       * asn1buf.c:
+       * krb5_decode.c: Fix double-free vulnerabilities.
+
 2004-06-10  Ken Raeburn  <raeburn@mit.edu>
 
        * asn1_encode.c (asn1_encode_generaltime): Fix memcpy argument to
index 47e1902804b273bacdb0c1df45cc83b69da60498..566d41e7b8e9bc49272f900e3564d1824ffe4563 100644 (file)
@@ -255,6 +255,7 @@ asn1_error_code asn12krb5_buf(const asn1buf *buf, krb5_data **code)
   (*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char));
   if ((*code)->data == NULL) {
     free(*code);
+    *code = NULL;
     return ENOMEM;
   }
   for(i=0; i < (*code)->length; i++)
index 596997fe953ff060bc2cef3bd3273912ac7b70bf..7457c0095d6002eead1c1e77d8736a4100f5c380 100644 (file)
@@ -183,8 +183,10 @@ get_lenfield_body(len,var,decoder)
 #define cleanup(cleanup_routine)\
    return 0; \
 error_out: \
-   if (rep && *rep) \
+   if (rep && *rep) \
        cleanup_routine(*rep); \
+       *rep = NULL; \
+   } \
    return retval;
 
 #define cleanup_none()\
@@ -233,6 +235,7 @@ error_out:
       free_field(*rep,checksum);
       free_field(*rep,client);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -254,7 +257,7 @@ krb5_error_code decode_krb5_ticket(const krb5_data *code, krb5_ticket **rep)
   { begin_structure();
     { krb5_kvno kvno;
       get_field(kvno,0,asn1_decode_kvno);
-      if(kvno != KVNO) return KRB5KDC_ERR_BAD_PVNO;
+      if(kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO);
     }
     alloc_field((*rep)->server,krb5_principal_data);
     get_field((*rep)->server,1,asn1_decode_realm);
@@ -268,6 +271,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,server);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -320,6 +324,7 @@ error_out:
       free_field(*rep,session);
       free_field(*rep,client);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -403,6 +408,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,ticket);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -451,6 +457,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,subkey);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -556,6 +563,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,checksum);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -614,6 +622,7 @@ error_out:
       free_field(*rep,r_address);
       free_field(*rep,s_address);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -668,6 +677,7 @@ error_out:
       free_field(*rep,r_address);
       free_field(*rep,s_address);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
@@ -713,6 +723,7 @@ error_out:
       free_field(*rep,server);
       free_field(*rep,client);
       free(*rep);
+      *rep = NULL;
   }
   return retval;
 }
index 80192294e8bd3ac795238125181d677f1eed6ba9..6742d8a0388fc7646f3af11a5173afa2fed1ebaf 100644 (file)
@@ -71,6 +71,8 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_dat
 
     /* now decode the decrypted stuff */
     retval = decode_krb5_ap_rep_enc_part(&scratch, repl);
+    if (retval)
+       goto clean_scratch;
 
     /* Check reply fields */
     if (((*repl)->ctime != auth_context->authentp->ctime) ||
index a5ffe1d4bd25f8cc2f5d956e3f58963b625468fe..8fc60212cedc8f5be8c981f96c39d65b50e9c061 100644 (file)
@@ -270,6 +270,8 @@ send_again:
            if (!tcp_only) {
                krb5_error *err_reply;
                retval = decode_krb5_error(&rep->response, &err_reply);
+               if (retval)
+                   goto send_tgs_error_3;
                if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) {
                    tcp_only = 1;
                    krb5_free_error(context, err_reply);
@@ -278,6 +280,8 @@ send_again:
                    goto send_again;
                }
                krb5_free_error(context, err_reply);
+           send_tgs_error_3:
+               ;
            }
            rep->message_type = KRB5_ERROR;
        } else if (krb5_is_tgs_rep(&rep->response))