subject; krb5_do_preauth could attempt to free NULL pointer
authorEzra Peisach <epeisach@mit.edu>
Mon, 17 Jan 2005 17:32:26 +0000 (17:32 +0000)
committerEzra Peisach <epeisach@mit.edu>
Mon, 17 Jan 2005 17:32:26 +0000 (17:32 +0000)
* preauth2.c (krb5_do_preauth): Upon error in decoding
krb5_type_info{,2}, on failure, do not call krb5_free_type_info
with a null pointer.

The only way to reach this code is to set a preauth list requesting for ETYPE_INFO
 or ETYPE_INFO2 in a call to krb5_get_in_tkt_with_password.

Before sending the request, krb5_do_preauth tries to parse a NULL length asn1 buffer,
fails and tries to free a null pointer.

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17047 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/krb/ChangeLog
src/lib/krb5/krb/preauth2.c

index 224127806fde862072f650633979024f9e8e0895..95578ce0d2edb166ede3e15b4972c897f570ce34 100644 (file)
@@ -1,3 +1,9 @@
+2005-01-17  Ezra Peisach  <epeisach@mit.edu>
+
+       * preauth2.c (krb5_do_preauth): Upon error in decoding
+       krb5_type_info{,2}, on failure, do not call krb5_free_type_info
+       with a null pointer.
+
 2005-01-15  Jeffrey Altman <jaltman@mit.edu>
 
         * cp_key_cnt.c, copy_princ.c:
index 6238a8276fc1c01ff7854366c3e11a01cb564eb5..e146c3d3a25d7cb0258d093d0de098139423f134 100644 (file)
@@ -892,7 +892,8 @@ krb5_do_preauth(krb5_context context,
                else ret = decode_krb5_etype_info(&scratch, &etype_info);
                if (ret) {
                    ret = 0; /*Ignore error and etype_info element*/
-                   krb5_free_etype_info( context, etype_info);
+                   if (etype_info) 
+                     krb5_free_etype_info( context, etype_info);
                    etype_info = NULL;
                    continue;
                }