svn rev #22176: trunk/src/ lib/krb5/asn.1/ tests/asn.1/

Tue Apr 7 17:22:23 EDT 2009

http://src.mit.edu/fisheye/changelog/krb5/?cs=22176
Commit By: tlyu
Log Message:
ticket: 6445
subject: CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer
tags: pullup
target_version: 1.7

The asn1_decode_generaltime() function can free an uninitialized
pointer if asn1buf_remove_charstring() fails.


Changed Files:
U   trunk/src/lib/krb5/asn.1/asn1_decode.c
U   trunk/src/tests/asn.1/krb5_decode_test.c
Modified: trunk/src/lib/krb5/asn.1/asn1_decode.c
===================================================================

--- trunk/src/lib/krb5/asn.1/asn1_decode.c	2009-04-07 21:22:20 UTC (rev 22175)
+++ trunk/src/lib/krb5/asn.1/asn1_decode.c	2009-04-07 21:22:23 UTC (rev 22176)
@@ -231,6 +231,7 @@
 
     if (length != 15) return ASN1_BAD_LENGTH;
     retval = asn1buf_remove_charstring(buf,15,&s);
+    if (retval) return retval;
     /* Time encoding: YYYYMMDDhhmmssZ */
     if (s[14] != 'Z') {
         free(s);

Modified: trunk/src/tests/asn.1/krb5_decode_test.c
===================================================================
--- trunk/src/tests/asn.1/krb5_decode_test.c	2009-04-07 21:22:20 UTC (rev 22175)
+++ trunk/src/tests/asn.1/krb5_decode_test.c	2009-04-07 21:22:23 UTC (rev 22176)
@@ -486,6 +486,22 @@
 	ktest_destroy_keyblock(&(ref.subkey));
 	ref.seq_number = 0;
 	decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+
+	retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
+	if (retval) {
+	    com_err("krb5_decode_test", retval, "while parsing");
+	    exit(1);
+	}
+	retval = decode_krb5_ap_rep_enc_part(&code, &var);
+	if (retval != ASN1_OVERRUN) {
+	    printf("ERROR: ");
+	} else {
+	    printf("OK: ");
+	}
+	printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
+	krb5_free_data_contents(test_context, &code);
+	krb5_free_ap_rep_enc_part(test_context, var);
+
 	ktest_empty_ap_rep_enc_part(&ref);
     }
   


