svn rev #24879: branches/krb5-1-9/src/kadmin/server/
tlyu@MIT.EDU
tlyu at MIT.EDU
Wed Apr 13 18:45:08 EDT 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=24879
Commit By: tlyu
Log Message:
ticket: 6899
version_fixed: 1.9.1
status: resolved
pull up r24878 from trunk
------------------------------------------------------------------------
r24878 | tlyu | 2011-04-13 14:43:37 -0400 (Wed, 13 Apr 2011) | 11 lines
ticket: 6899
tags: pullup
target_version: 1.9.1
Fix the sole case in process_chpw_request() where a return could occur
without allocating the data pointer in the response. This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().
Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.
Changed Files:
U branches/krb5-1-9/src/kadmin/server/schpw.c
Modified: branches/krb5-1-9/src/kadmin/server/schpw.c
===================================================================
--- branches/krb5-1-9/src/kadmin/server/schpw.c 2011-04-13 18:43:37 UTC (rev 24878)
+++ branches/krb5-1-9/src/kadmin/server/schpw.c 2011-04-13 22:45:08 UTC (rev 24879)
@@ -52,6 +52,7 @@
ret = 0;
rep->length = 0;
+ rep->data = NULL;
auth_context = NULL;
changepw = NULL;
@@ -76,8 +77,13 @@
plen = (*ptr++ & 0xff);
plen = (plen<<8) | (*ptr++ & 0xff);
- if (plen != req->length)
- return(KRB5KRB_AP_ERR_MODIFIED);
+ if (plen != req->length) {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ numresult = KRB5_KPASSWD_MALFORMED;
+ strlcpy(strresult, "Request length was inconsistent",
+ sizeof(strresult));
+ goto chpwfail;
+ }
/* verify version number */
@@ -531,6 +537,10 @@
if (local_kaddrs != NULL)
krb5_free_addresses(server_handle->context, local_kaddrs);
+ if ((*response)->data == NULL) {
+ free(*response);
+ *response = NULL;
+ }
krb5_kt_close(server_handle->context, kt);
return ret;
More information about the cvs-krb5
mailing list