svn rev #22427: branches/krb5-1-6/src/ kadmin/server/ kdc/ lib/krb5/krb/ slave/

tlyu@MIT.EDU tlyu at MIT.EDU
Wed Jul 8 21:59:03 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22427
Commit By: tlyu
Log Message:
ticket: 5998
version_fixed: 1.6.4

pull up r20485 from trunk
 ------------------------------------------------------------------------
 r20485 | raeburn | 2008-06-26 23:33:14 -0400 (Thu, 26 Jun 2008) | 8 lines

 ticket: new
 target_version: 1.6.4
 tags: pullup
 subject: use-after-free bugs

 Fix some bugs with storage being used immediately after being freed.
 None look like anything an attacker can really manipulate AFAICT.


Changed Files:
U   branches/krb5-1-6/src/kadmin/server/server_stubs.c
U   branches/krb5-1-6/src/kdc/network.c
U   branches/krb5-1-6/src/lib/krb5/krb/mk_cred.c
U   branches/krb5-1-6/src/slave/kprop.c
Modified: branches/krb5-1-6/src/kadmin/server/server_stubs.c
===================================================================
--- branches/krb5-1-6/src/kadmin/server/server_stubs.c	2009-07-09 01:54:50 UTC (rev 22426)
+++ branches/krb5-1-6/src/kadmin/server/server_stubs.c	2009-07-09 01:59:03 UTC (rev 22427)
@@ -1628,7 +1628,7 @@
      }
 
      if (ret.code != 0)
-	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+	 errmsg = krb5_get_error_message(NULL, ret.code);
      else
 	 errmsg = "success";
 

Modified: branches/krb5-1-6/src/kdc/network.c
===================================================================
--- branches/krb5-1-6/src/kdc/network.c	2009-07-09 01:54:50 UTC (rev 22426)
+++ branches/krb5-1-6/src/kdc/network.c	2009-07-09 01:59:03 UTC (rev 22427)
@@ -775,10 +775,8 @@
 	return;
     }
     if (cc != response->length) {
-	krb5_free_data(kdc_context, response);
 	com_err(prog, 0, "short reply write %d vs %d\n",
 		response->length, cc);
-	return;
     }
     krb5_free_data(kdc_context, response);
     return;

Modified: branches/krb5-1-6/src/lib/krb5/krb/mk_cred.c
===================================================================
--- branches/krb5-1-6/src/lib/krb5/krb/mk_cred.c	2009-07-09 01:54:50 UTC (rev 22426)
+++ branches/krb5-1-6/src/lib/krb5/krb/mk_cred.c	2009-07-09 01:59:03 UTC (rev 22427)
@@ -176,8 +176,8 @@
 
     if ((pcred->tickets 
       = (krb5_ticket **)malloc(sizeof(krb5_ticket *) * (ncred + 1))) == NULL) {
-	retval = ENOMEM;
 	free(pcred);
+	return ENOMEM;
     }
     memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1));
 

Modified: branches/krb5-1-6/src/slave/kprop.c
===================================================================
--- branches/krb5-1-6/src/slave/kprop.c	2009-07-09 01:54:50 UTC (rev 22426)
+++ branches/krb5-1-6/src/slave/kprop.c	2009-07-09 01:59:03 UTC (rev 22427)
@@ -1,7 +1,7 @@
 /*
  * slave/kprop.c
  *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -505,12 +505,12 @@
 		free(data_ok_fn);
 		exit(1);
 	}
-	free(data_ok_fn);
 	if (stbuf.st_mtime > stbuf_ok.st_mtime) {
 		com_err(progname, 0, "'%s' more recent than '%s'.",
 			data_fn, data_ok_fn);
 		exit(1);
 	}
+	free(data_ok_fn);
 	*size = stbuf.st_size;
 	return(fd);
 }

More information about the cvs-krb5 mailing list