From 6769d4fc0a3fdeef3f0530257d742647a2c847fb Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Tue, 7 Apr 2009 21:22:23 +0000
Subject: [PATCH] CVE-2009-0846 asn1_decode_generaltime can free uninitialized
 pointer

The asn1_decode_generaltime() function can free an uninitialized
pointer if asn1buf_remove_charstring() fails.

ticket: 6445
tags: pullup
target_version: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22176 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/asn.1/asn1_decode.c   |  1 +
 src/tests/asn.1/krb5_decode_test.c | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c
index 94d62eace..032e82734 100644
--- a/src/lib/krb5/asn.1/asn1_decode.c
+++ b/src/lib/krb5/asn.1/asn1_decode.c
@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
 
     if (length != 15) return ASN1_BAD_LENGTH;
     retval = asn1buf_remove_charstring(buf,15,&s);
+    if (retval) return retval;
     /* Time encoding: YYYYMMDDhhmmssZ */
     if (s[14] != 'Z') {
         free(s);
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 68581f103..7136669ac 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -486,6 +486,22 @@ int main(argc, argv)
 	ktest_destroy_keyblock(&(ref.subkey));
 	ref.seq_number = 0;
 	decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+
+	retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
+	if (retval) {
+	    com_err("krb5_decode_test", retval, "while parsing");
+	    exit(1);
+	}
+	retval = decode_krb5_ap_rep_enc_part(&code, &var);
+	if (retval != ASN1_OVERRUN) {
+	    printf("ERROR: ");
+	} else {
+	    printf("OK: ");
+	}
+	printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
+	krb5_free_data_contents(test_context, &code);
+	krb5_free_ap_rep_enc_part(test_context, var);
+
 	ktest_empty_ap_rep_enc_part(&ref);
     }
   
-- 
2.26.2