svn rev #22181: branches/krb5-1-6/src/ lib/krb5/asn.1/ tests/asn.1/

tlyu@MIT.EDU tlyu at MIT.EDU
Tue Apr 7 21:23:04 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22181
Commit By: tlyu
Log Message:
ticket: 6448
subject: CVE-2009-0846 (1.6.x) asn1_decode_generaltime can free uninitialized pointer
tags: pullup
target_version: 1.6.4
version_fixed: 1.6.4

pull up rxxxx from trunk

The asn1_decode_generaltime() function can free an uninitialized
pointer if asn1buf_remove_charstring() fails.


Changed Files:
U   branches/krb5-1-6/src/lib/krb5/asn.1/asn1_decode.c
U   branches/krb5-1-6/src/tests/asn.1/krb5_decode_test.c
Modified: branches/krb5-1-6/src/lib/krb5/asn.1/asn1_decode.c
===================================================================
--- branches/krb5-1-6/src/lib/krb5/asn.1/asn1_decode.c	2009-04-08 01:22:57 UTC (rev 22180)
+++ branches/krb5-1-6/src/lib/krb5/asn.1/asn1_decode.c	2009-04-08 01:23:03 UTC (rev 22181)
@@ -231,6 +231,7 @@
 
   if(length != 15) return ASN1_BAD_LENGTH;
   retval = asn1buf_remove_charstring(buf,15,&s);
+  if (retval) return retval;
   /* Time encoding: YYYYMMDDhhmmssZ */
   if(s[14] != 'Z') {
       free(s);

Modified: branches/krb5-1-6/src/tests/asn.1/krb5_decode_test.c
===================================================================
--- branches/krb5-1-6/src/tests/asn.1/krb5_decode_test.c	2009-04-08 01:22:57 UTC (rev 22180)
+++ branches/krb5-1-6/src/tests/asn.1/krb5_decode_test.c	2009-04-08 01:23:03 UTC (rev 22181)
@@ -485,6 +485,22 @@
     ktest_destroy_keyblock(&(ref.subkey));
     ref.seq_number = 0;
     decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+
+    retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
+    if (retval) {
+	com_err("krb5_decode_test", retval, "while parsing");
+	exit(1);
+    }
+    retval = decode_krb5_ap_rep_enc_part(&code, &var);
+    if (retval != ASN1_OVERRUN) {
+	printf("ERROR: ");
+    } else {
+	printf("OK: ");
+    }
+    printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
+    krb5_free_data_contents(test_context, &code);
+    if (!retval) krb5_free_ap_rep_enc_part(test_context, var);
+
     ktest_empty_ap_rep_enc_part(&ref);
   }

More information about the cvs-krb5 mailing list