KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
authorTom Yu <tlyu@mit.edu>
Tue, 15 Mar 2011 23:50:09 +0000 (23:50 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 15 Mar 2011 23:50:09 +0000 (23:50 +0000)
pull up r24705 from trunk

 ------------------------------------------------------------------------
 r24705 | tlyu | 2011-03-15 17:47:19 -0400 (Tue, 15 Mar 2011) | 8 lines

 ticket: 6881
 subject: KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
 tags: pullup
 target_version: 1.9.1

 Fix a double-free condition in the KDC that can occur during an
 AS-REQ when PKINIT is enabled.

ticket: 6882
status: resolved
version_fixed: 1.8.4

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24707 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/do_as_req.c

index 39242979aa3c8944123a29dc5b6d00f295dad18f..4eb752c5fe76dc2b84da922abe2fd28b10ff7b14 100644 (file)
@@ -784,6 +784,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
                     pad->contents = td[size]->data;
                     pad->length = td[size]->length;
                     pa[size] = pad;
+                    td[size]->data = NULL;
+                    td[size]->length = 0;
                 }
             krb5_free_typed_data(kdc_context, td);
         }