back-port r24878 for 1.7-branch
------------------------------------------------------------------------
r24878 | tlyu | 2011-04-13 14:43:37 -0400 (Wed, 13 Apr 2011) | 11 lines
ticket: 6899
tags: pullup
target_version: 1.9.1
Fix the sole case in process_chpw_request() where a return could occur
without allocating the data pointer in the response. This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().
Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.
ticket: 6901
status: resolved
version_fixed: 1.7.2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@24881
dc483132-0cff-0310-8789-
dd5450dbe970
if (local_kaddrs != NULL)
krb5_free_addresses(server_handle->context, local_kaddrs);
+ if ((*response)->data == NULL) {
+ free(*response);
+ *response = NULL;
+ }
krb5_kt_close(server_handle->context, kt);
return ret;
plen = (*ptr++ & 0xff);
plen = (plen<<8) | (*ptr++ & 0xff);
- if (plen != req->length)
- return(KRB5KRB_AP_ERR_MODIFIED);
+ if (plen != req->length) {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ numresult = KRB5_KPASSWD_MALFORMED;
+ strlcpy(strresult, "Request length was inconsistent",
+ sizeof(strresult));
+ goto chpwfail;
+ }
/* verify version number */
projects / krb5.git / commitdiff