From e88f857c3680ea395c0bed6a82862d8ea1177221 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 13 Apr 2011 18:43:37 +0000 Subject: [PATCH] Fix the sole case in process_chpw_request() where a return could occur without allocating the data pointer in the response. This prevents a later free() of an invalid pointer in kill_tcp_or_rpc_connection(). Also initialize rep->data to NULL in process_chpw_request() and clean up *response in dispatch() as an additional precaution. ticket: 6899 tags: pullup target_version: 1.9.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24878 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/server/schpw.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c index d12c5075b..ca0710754 100644 --- a/src/kadmin/server/schpw.c +++ b/src/kadmin/server/schpw.c @@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab, ret = 0; rep->length = 0; + rep->data = NULL; auth_context = NULL; changepw = NULL; @@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab, plen = (*ptr++ & 0xff); plen = (plen<<8) | (*ptr++ & 0xff); - if (plen != req->length) - return(KRB5KRB_AP_ERR_MODIFIED); + if (plen != req->length) { + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request length was inconsistent", + sizeof(strresult)); + goto chpwfail; + } /* verify version number */ @@ -534,6 +540,10 @@ cleanup: if (local_kaddrs != NULL) krb5_free_addresses(server_handle->context, local_kaddrs); + if ((*response)->data == NULL) { + free(*response); + *response = NULL; + } krb5_kt_close(server_handle->context, kt); return ret; -- 2.26.2