From a37f039625cc1ddf5c66fa43e3534ded461337d3 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 31 Aug 2004 18:52:26 +0000 Subject: [PATCH] fix MITKRB5-SA-2004-002 Fix double-free vulnerabilities [MITKRB5-SA-2004-002]. ticket: new target_version: 1.3.5 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16701 dc483132-0cff-0310-8789-dd5450dbe970 --- src/clients/klist/ChangeLog | 4 ++++ src/clients/klist/klist.c | 8 +++++++- src/krb524/ChangeLog | 4 ++++ src/krb524/krb524d.c | 4 +++- src/lib/krb5/asn.1/ChangeLog | 5 +++++ src/lib/krb5/asn.1/asn1buf.c | 1 + src/lib/krb5/asn.1/krb5_decode.c | 15 +++++++++++++-- src/lib/krb5/krb/rd_rep.c | 2 ++ src/lib/krb5/krb/send_tgs.c | 4 ++++ 9 files changed, 43 insertions(+), 4 deletions(-) diff --git a/src/clients/klist/ChangeLog b/src/clients/klist/ChangeLog index f6b73d86b..3fb4ec1b3 100644 --- a/src/clients/klist/ChangeLog +++ b/src/clients/klist/ChangeLog @@ -1,3 +1,7 @@ +2004-08-31 Tom Yu + + * klist.c: Fix double-free vulnerabilities. + 2004-07-11 Ken Raeburn * klist.c: Include autoconf.h before network headers. diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c index 368f799b7..8a70e0685 100644 --- a/src/clients/klist/klist.c +++ b/src/clients/klist/klist.c @@ -616,6 +616,9 @@ show_credential(cred) if (show_etype) { retval = krb5_decode_ticket(&cred->ticket, &tkt); + if (retval) + goto err_tkt; + if (!extra_field) fputs("\t",stdout); else @@ -624,8 +627,11 @@ show_credential(cred) etype_string(cred->keyblock.enctype)); printf("%s ", etype_string(tkt->enc_part.enctype)); - krb5_free_ticket(kcontext, tkt); extra_field++; + + err_tkt: + if (tkt != NULL) + krb5_free_ticket(kcontext, tkt); } /* if any additional info was printed, extra_field is non-zero */ diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index f7601ff83..e36bff904 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,7 @@ +2004-08-31 Tom Yu + + * krb524d.c: Fix double-free vulnerabilities. + 2004-08-08 Ken Raeburn * krb524d.c (do_connection): Use socklen_t for the size of the diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c index ba9be957f..5b3641bcc 100644 --- a/src/krb524/krb524d.c +++ b/src/krb524/krb524d.c @@ -583,8 +583,10 @@ ret = KRB5KDC_ERR_POLICY ; printf("v4 credentials encoded\n"); error: - if (v5tkt->enc_part2) + if (v5tkt->enc_part2) { krb5_free_enc_tkt_part(context, v5tkt->enc_part2); + v5tkt->enc_part2 = NULL; + } if(v5_service_key.contents) krb5_free_keyblock_contents(context, &v5_service_key); diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog index ce20ff65c..fd0bf2daf 100644 --- a/src/lib/krb5/asn.1/ChangeLog +++ b/src/lib/krb5/asn.1/ChangeLog @@ -1,3 +1,8 @@ +2004-08-31 Tom Yu + + * asn1buf.c: + * krb5_decode.c: Fix double-free vulnerabilities. + 2004-06-10 Ken Raeburn * asn1_encode.c (asn1_encode_generaltime): Fix memcpy argument to diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c index 47e190280..566d41e7b 100644 --- a/src/lib/krb5/asn.1/asn1buf.c +++ b/src/lib/krb5/asn.1/asn1buf.c @@ -255,6 +255,7 @@ asn1_error_code asn12krb5_buf(const asn1buf *buf, krb5_data **code) (*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char)); if ((*code)->data == NULL) { free(*code); + *code = NULL; return ENOMEM; } for(i=0; i < (*code)->length; i++) diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c index 596997fe9..7457c0095 100644 --- a/src/lib/krb5/asn.1/krb5_decode.c +++ b/src/lib/krb5/asn.1/krb5_decode.c @@ -183,8 +183,10 @@ get_lenfield_body(len,var,decoder) #define cleanup(cleanup_routine)\ return 0; \ error_out: \ - if (rep && *rep) \ + if (rep && *rep) { \ cleanup_routine(*rep); \ + *rep = NULL; \ + } \ return retval; #define cleanup_none()\ @@ -233,6 +235,7 @@ error_out: free_field(*rep,checksum); free_field(*rep,client); free(*rep); + *rep = NULL; } return retval; } @@ -254,7 +257,7 @@ krb5_error_code decode_krb5_ticket(const krb5_data *code, krb5_ticket **rep) { begin_structure(); { krb5_kvno kvno; get_field(kvno,0,asn1_decode_kvno); - if(kvno != KVNO) return KRB5KDC_ERR_BAD_PVNO; + if(kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO); } alloc_field((*rep)->server,krb5_principal_data); get_field((*rep)->server,1,asn1_decode_realm); @@ -268,6 +271,7 @@ error_out: if (rep && *rep) { free_field(*rep,server); free(*rep); + *rep = NULL; } return retval; } @@ -320,6 +324,7 @@ error_out: free_field(*rep,session); free_field(*rep,client); free(*rep); + *rep = NULL; } return retval; } @@ -403,6 +408,7 @@ error_out: if (rep && *rep) { free_field(*rep,ticket); free(*rep); + *rep = NULL; } return retval; } @@ -451,6 +457,7 @@ error_out: if (rep && *rep) { free_field(*rep,subkey); free(*rep); + *rep = NULL; } return retval; } @@ -556,6 +563,7 @@ error_out: if (rep && *rep) { free_field(*rep,checksum); free(*rep); + *rep = NULL; } return retval; } @@ -614,6 +622,7 @@ error_out: free_field(*rep,r_address); free_field(*rep,s_address); free(*rep); + *rep = NULL; } return retval; } @@ -668,6 +677,7 @@ error_out: free_field(*rep,r_address); free_field(*rep,s_address); free(*rep); + *rep = NULL; } return retval; } @@ -713,6 +723,7 @@ error_out: free_field(*rep,server); free_field(*rep,client); free(*rep); + *rep = NULL; } return retval; } diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index 80192294e..6742d8a03 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -71,6 +71,8 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_dat /* now decode the decrypted stuff */ retval = decode_krb5_ap_rep_enc_part(&scratch, repl); + if (retval) + goto clean_scratch; /* Check reply fields */ if (((*repl)->ctime != auth_context->authentp->ctime) || diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index a5ffe1d4b..8fc60212c 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -270,6 +270,8 @@ send_again: if (!tcp_only) { krb5_error *err_reply; retval = decode_krb5_error(&rep->response, &err_reply); + if (retval) + goto send_tgs_error_3; if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { tcp_only = 1; krb5_free_error(context, err_reply); @@ -278,6 +280,8 @@ send_again: goto send_again; } krb5_free_error(context, err_reply); + send_tgs_error_3: + ; } rep->message_type = KRB5_ERROR; } else if (krb5_is_tgs_rep(&rep->response)) -- 2.26.2