From: Tom Yu Date: Wed, 5 Sep 2007 21:27:23 +0000 (+0000) Subject: pull up r19914 from trunk X-Git-Tag: krb5-1.6.3-beta1~20 X-Git-Url: http://git.tremily.us/gitweb.cgi?a=commitdiff_plain;h=5cf3f61e11ef9e42a0602a6e84290da39712a9fe;p=krb5.git pull up r19914 from trunk r19914@cathode-dark-space: tlyu | 2007-09-04 14:53:09 -0400 ticket: new target_version: 1.6.3 tags: pullup subject: fix CVE-2007-4000 modify_policy vulnerability In kadm5_modify_policy_internal, check for nonexistence of policy before doing anything with it, to avoid memory corruption. ticket: 5707 version_fixed: 1.6.3 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19926 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c index d57d2f158..512876b79 100644 --- a/src/lib/kadm5/srv/svr_policy.c +++ b/src/lib/kadm5/srv/svr_policy.c @@ -211,8 +211,9 @@ kadm5_modify_policy_internal(void *server_handle, if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; - ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt); - if( ret && (cnt==0) ) + if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) + return ret; + if (cnt != 1) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE))