From 97e0daf65d3329832e6319910cca966f340857a8 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 15 Apr 2009 20:07:34 +0000
Subject: [PATCH] pull up r22176 from trunk

 ------------------------------------------------------------------------
 r22176 | tlyu | 2009-04-07 17:22:23 -0400 (Tue, 07 Apr 2009) | 7 lines
 Changed paths:
    M /trunk/src/lib/krb5/asn.1/asn1_decode.c
    M /trunk/src/tests/asn.1/krb5_decode_test.c

 ticket: 6445
 subject: CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer
 tags: pullup
 target_version: 1.7

 The asn1_decode_generaltime() function can free an uninitialized
 pointer if asn1buf_remove_charstring() fails.

ticket: 6445
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22250 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/asn.1/asn1_decode.c   |  1 +
 src/tests/asn.1/krb5_decode_test.c | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c
index 94d62eace..032e82734 100644
--- a/src/lib/krb5/asn.1/asn1_decode.c
+++ b/src/lib/krb5/asn.1/asn1_decode.c
@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
 
     if (length != 15) return ASN1_BAD_LENGTH;
     retval = asn1buf_remove_charstring(buf,15,&s);
+    if (retval) return retval;
     /* Time encoding: YYYYMMDDhhmmssZ */
     if (s[14] != 'Z') {
         free(s);
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 68581f103..7136669ac 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -486,6 +486,22 @@ int main(argc, argv)
 	ktest_destroy_keyblock(&(ref.subkey));
 	ref.seq_number = 0;
 	decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+
+	retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
+	if (retval) {
+	    com_err("krb5_decode_test", retval, "while parsing");
+	    exit(1);
+	}
+	retval = decode_krb5_ap_rep_enc_part(&code, &var);
+	if (retval != ASN1_OVERRUN) {
+	    printf("ERROR: ");
+	} else {
+	    printf("OK: ");
+	}
+	printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
+	krb5_free_data_contents(test_context, &code);
+	krb5_free_ap_rep_enc_part(test_context, var);
+
 	ktest_empty_ap_rep_enc_part(&ref);
     }
   
-- 
2.26.2