pull up r19914 from trunk

 r19914@cathode-dark-space:  tlyu | 2007-09-04 14:53:09 -0400
 ticket: new
 target_version: 1.6.3
 tags: pullup
 subject: fix CVE-2007-4000 modify_policy vulnerability

 In kadm5_modify_policy_internal, check for nonexistence of policy
 before doing anything with it, to avoid memory corruption.

ticket: 5707
version_fixed: 1.6.3

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19926 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c
index d57d2f1583a3a2a046bf70f0832aa852b0f4578e..512876b7964cc6e39bb5595742c8ccf2f4ac30f7 100644 (file)
--- a/src/lib/kadm5/srv/svr_policy.c
+++ b/src/lib/kadm5/srv/svr_policy.c
@@ -211,8 +211,9 @@ kadm5_modify_policy_internal(void *server_handle,
     if((mask & KADM5_POLICY))
        return KADM5_BAD_MASK;
                
-    ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt);
-    if( ret && (cnt==0) )
+    if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
+       return ret;
+    if (cnt != 1)
        return KADM5_UNK_POLICY;
 
     if ((mask & KADM5_PW_MAX_LIFE))