+2004-08-31 Tom Yu <tlyu@mit.edu>
+
+ * klist.c: Fix double-free vulnerabilities.
+
2004-07-11 Ken Raeburn <raeburn@mit.edu>
* klist.c: Include autoconf.h before network headers.
if (show_etype) {
retval = krb5_decode_ticket(&cred->ticket, &tkt);
+ if (retval)
+ goto err_tkt;
+
if (!extra_field)
fputs("\t",stdout);
else
etype_string(cred->keyblock.enctype));
printf("%s ",
etype_string(tkt->enc_part.enctype));
- krb5_free_ticket(kcontext, tkt);
extra_field++;
+
+ err_tkt:
+ if (tkt != NULL)
+ krb5_free_ticket(kcontext, tkt);
}
/* if any additional info was printed, extra_field is non-zero */
+2004-08-31 Tom Yu <tlyu@mit.edu>
+
+ * krb524d.c: Fix double-free vulnerabilities.
+
2004-08-08 Ken Raeburn <raeburn@mit.edu>
* krb524d.c (do_connection): Use socklen_t for the size of the
printf("v4 credentials encoded\n");
error:
- if (v5tkt->enc_part2)
+ if (v5tkt->enc_part2) {
krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
+ v5tkt->enc_part2 = NULL;
+ }
if(v5_service_key.contents)
krb5_free_keyblock_contents(context, &v5_service_key);
+2004-08-31 Tom Yu <tlyu@mit.edu>
+
+ * asn1buf.c:
+ * krb5_decode.c: Fix double-free vulnerabilities.
+
2004-06-10 Ken Raeburn <raeburn@mit.edu>
* asn1_encode.c (asn1_encode_generaltime): Fix memcpy argument to
(*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char));
if ((*code)->data == NULL) {
free(*code);
+ *code = NULL;
return ENOMEM;
}
for(i=0; i < (*code)->length; i++)
#define cleanup(cleanup_routine)\
return 0; \
error_out: \
- if (rep && *rep) \
+ if (rep && *rep) { \
cleanup_routine(*rep); \
+ *rep = NULL; \
+ } \
return retval;
#define cleanup_none()\
free_field(*rep,checksum);
free_field(*rep,client);
free(*rep);
+ *rep = NULL;
}
return retval;
}
{ begin_structure();
{ krb5_kvno kvno;
get_field(kvno,0,asn1_decode_kvno);
- if(kvno != KVNO) return KRB5KDC_ERR_BAD_PVNO;
+ if(kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO);
}
alloc_field((*rep)->server,krb5_principal_data);
get_field((*rep)->server,1,asn1_decode_realm);
if (rep && *rep) {
free_field(*rep,server);
free(*rep);
+ *rep = NULL;
}
return retval;
}
free_field(*rep,session);
free_field(*rep,client);
free(*rep);
+ *rep = NULL;
}
return retval;
}
if (rep && *rep) {
free_field(*rep,ticket);
free(*rep);
+ *rep = NULL;
}
return retval;
}
if (rep && *rep) {
free_field(*rep,subkey);
free(*rep);
+ *rep = NULL;
}
return retval;
}
if (rep && *rep) {
free_field(*rep,checksum);
free(*rep);
+ *rep = NULL;
}
return retval;
}
free_field(*rep,r_address);
free_field(*rep,s_address);
free(*rep);
+ *rep = NULL;
}
return retval;
}
free_field(*rep,r_address);
free_field(*rep,s_address);
free(*rep);
+ *rep = NULL;
}
return retval;
}
free_field(*rep,server);
free_field(*rep,client);
free(*rep);
+ *rep = NULL;
}
return retval;
}
/* now decode the decrypted stuff */
retval = decode_krb5_ap_rep_enc_part(&scratch, repl);
+ if (retval)
+ goto clean_scratch;
/* Check reply fields */
if (((*repl)->ctime != auth_context->authentp->ctime) ||
if (!tcp_only) {
krb5_error *err_reply;
retval = decode_krb5_error(&rep->response, &err_reply);
+ if (retval)
+ goto send_tgs_error_3;
if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) {
tcp_only = 1;
krb5_free_error(context, err_reply);
goto send_again;
}
krb5_free_error(context, err_reply);
+ send_tgs_error_3:
+ ;
}
rep->message_type = KRB5_ERROR;
} else if (krb5_is_tgs_rep(&rep->response))