svn rev #22250: branches/krb5-1-7/src/ lib/krb5/asn.1/ tests/asn.1/

tlyu@MIT.EDU tlyu at MIT.EDU
Wed Apr 15 16:07:35 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22250
Commit By: tlyu
Log Message:
ticket: 6445
version_fixed: 1.7

pull up r22176 from trunk

 ------------------------------------------------------------------------
 r22176 | tlyu | 2009-04-07 17:22:23 -0400 (Tue, 07 Apr 2009) | 7 lines
 Changed paths:
    M /trunk/src/lib/krb5/asn.1/asn1_decode.c
    M /trunk/src/tests/asn.1/krb5_decode_test.c

 ticket: 6445
 subject: CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer
 tags: pullup
 target_version: 1.7

 The asn1_decode_generaltime() function can free an uninitialized
 pointer if asn1buf_remove_charstring() fails.


Changed Files:
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_decode.c
U   branches/krb5-1-7/src/tests/asn.1/krb5_decode_test.c
Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1_decode.c
===================================================================
--- branches/krb5-1-7/src/lib/krb5/asn.1/asn1_decode.c	2009-04-15 20:07:32 UTC (rev 22249)
+++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1_decode.c	2009-04-15 20:07:34 UTC (rev 22250)
@@ -231,6 +231,7 @@
 
     if (length != 15) return ASN1_BAD_LENGTH;
     retval = asn1buf_remove_charstring(buf,15,&s);
+    if (retval) return retval;
     /* Time encoding: YYYYMMDDhhmmssZ */
     if (s[14] != 'Z') {
         free(s);

Modified: branches/krb5-1-7/src/tests/asn.1/krb5_decode_test.c
===================================================================
--- branches/krb5-1-7/src/tests/asn.1/krb5_decode_test.c	2009-04-15 20:07:32 UTC (rev 22249)
+++ branches/krb5-1-7/src/tests/asn.1/krb5_decode_test.c	2009-04-15 20:07:34 UTC (rev 22250)
@@ -486,6 +486,22 @@
 	ktest_destroy_keyblock(&(ref.subkey));
 	ref.seq_number = 0;
 	decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+
+	retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
+	if (retval) {
+	    com_err("krb5_decode_test", retval, "while parsing");
+	    exit(1);
+	}
+	retval = decode_krb5_ap_rep_enc_part(&code, &var);
+	if (retval != ASN1_OVERRUN) {
+	    printf("ERROR: ");
+	} else {
+	    printf("OK: ");
+	}
+	printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
+	krb5_free_data_contents(test_context, &code);
+	krb5_free_ap_rep_enc_part(test_context, var);
+
 	ktest_empty_ap_rep_enc_part(&ref);
     }

More information about the cvs-krb5 mailing list