From 5cf3f61e11ef9e42a0602a6e84290da39712a9fe Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 5 Sep 2007 21:27:23 +0000 Subject: [PATCH] pull up r19914 from trunk r19914@cathode-dark-space: tlyu | 2007-09-04 14:53:09 -0400 ticket: new target_version: 1.6.3 tags: pullup subject: fix CVE-2007-4000 modify_policy vulnerability In kadm5_modify_policy_internal, check for nonexistence of policy before doing anything with it, to avoid memory corruption. ticket: 5707 version_fixed: 1.6.3 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19926 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/kadm5/srv/svr_policy.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c index d57d2f158..512876b79 100644 --- a/src/lib/kadm5/srv/svr_policy.c +++ b/src/lib/kadm5/srv/svr_policy.c @@ -211,8 +211,9 @@ kadm5_modify_policy_internal(void *server_handle, if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; - ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt); - if( ret && (cnt==0) ) + if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) + return ret; + if (cnt != 1) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE)) -- 2.26.2