From 9755aac29ccaac6977a93aa4305963ac29748641 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 12 Jul 2005 19:56:56 +0000 Subject: [PATCH] fix MITKRB5-SA-2005-002 KDC double-free and heap overflow Fix for MITKRB5-SA-2005-002 * KDC double-free [CAN-2005-1174, VU#259798] * krb5_unparse_name heap overflow [CAN-2005-1175, VU#885830] Thanks to Daniel Wachdorf. ticket: new flags: pullup target_version: 1.4.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17298 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/ChangeLog | 10 ++++++++++ src/kdc/do_as_req.c | 6 +++++- src/kdc/do_tgs_req.c | 6 +++++- src/kdc/network.c | 1 + src/lib/krb5/krb/ChangeLog | 7 +++++++ src/lib/krb5/krb/unparse.c | 2 ++ 6 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 8cbcf5bc1..c723ab128 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,13 @@ +2005-07-12 Tom Yu + + * do_as_req.c (prepare_error_as): + * do_tgs_req.c (prepare_error_tgs): Free scratch only if no error, + to avoid double-free. Thanks to Daniel Wachdorf for discovering + these. Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1174, + VU#259798]. + + * network.c (process_packet): Initialize response to NULL. + 2005-06-20 Ken Raeburn * Makefile.in (KDB_DEP_LIB): Use DL_LIB and THREAD_LINKOPTS diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index f292a17f8..2916cfee0 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -523,6 +523,10 @@ prepare_error_as (krb5_kdc_req *request, int error, krb5_data *e_data, retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); - *response = scratch; + if (retval) + free(scratch); + else + *response = scratch; + return retval; } diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 7aecb227e..d85d4b58c 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -721,7 +721,11 @@ prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); - *response = scratch; + if (retval) + free(scratch); + else + *response = scratch; + return retval; } diff --git a/src/kdc/network.c b/src/kdc/network.c index 84a90b16f..658039a3e 100644 --- a/src/kdc/network.c +++ b/src/kdc/network.c @@ -721,6 +721,7 @@ static void process_packet(struct connection *conn, const char *prog, char pktbuf[MAX_DGRAM_SIZE]; int port_fd = conn->fd; + response = NULL; saddr_len = sizeof(saddr); cc = recvfrom(port_fd, pktbuf, sizeof(pktbuf), 0, (struct sockaddr *)&saddr, &saddr_len); diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index e40681409..ce0b970ef 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,10 @@ +2005-07-12 Tom Yu + + * unparse.c (krb5_unparse_name_ext): Account for zero-component + principal, to avoid single-byte overflow. Thanks to Daniel + Wachdorf. Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1175, + VU#885830]. + 2005-06-29 Ken Raeburn * t_ser.c (ser_data): Don't initialize db serialization code that diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c index badb5bf97..a67636641 100644 --- a/src/lib/krb5/krb/unparse.c +++ b/src/lib/krb5/krb/unparse.c @@ -91,6 +91,8 @@ krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, regi totalsize++; totalsize++; /* This is for the separator */ } + if (nelem == 0) + totalsize++; /* * Allocate space for the ascii string; if space has been -- 2.26.2