svn rev #24881: branches/krb5-1-7/src/kadmin/server/

tlyu@MIT.EDU tlyu at MIT.EDU
Thu Apr 14 18:17:11 EDT 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=24881
Commit By: tlyu
Log Message:
ticket: 6901
subject: kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
status: resolved
version_fixed: 1.7.2

back-port r24878 for 1.7-branch

 ------------------------------------------------------------------------
 r24878 | tlyu | 2011-04-13 14:43:37 -0400 (Wed, 13 Apr 2011) | 11 lines

 ticket: 6899
 tags: pullup
 target_version: 1.9.1

 Fix the sole case in process_chpw_request() where a return could occur
 without allocating the data pointer in the response.  This prevents a
 later free() of an invalid pointer in kill_tcp_or_rpc_connection().

 Also initialize rep->data to NULL in process_chpw_request() and clean
 up *response in dispatch() as an additional precaution.


Changed Files:
U   branches/krb5-1-7/src/kadmin/server/network.c
U   branches/krb5-1-7/src/kadmin/server/schpw.c
Modified: branches/krb5-1-7/src/kadmin/server/network.c
===================================================================
--- branches/krb5-1-7/src/kadmin/server/network.c	2011-04-14 22:04:13 UTC (rev 24880)
+++ branches/krb5-1-7/src/kadmin/server/network.c	2011-04-14 22:17:10 UTC (rev 24881)
@@ -1351,6 +1351,10 @@
     if (local_kaddrs != NULL)
 	krb5_free_addresses(server_handle->context, local_kaddrs);
 
+    if ((*response)->data == NULL) {
+        free(*response);
+        *response = NULL;
+    }
     krb5_kt_close(server_handle->context, kt);
 
     return ret;

Modified: branches/krb5-1-7/src/kadmin/server/schpw.c
===================================================================
--- branches/krb5-1-7/src/kadmin/server/schpw.c	2011-04-14 22:04:13 UTC (rev 24880)
+++ branches/krb5-1-7/src/kadmin/server/schpw.c	2011-04-14 22:17:10 UTC (rev 24881)
@@ -73,8 +73,13 @@
     plen = (*ptr++ & 0xff);
     plen = (plen<<8) | (*ptr++ & 0xff);
 
-    if (plen != req->length)
-	return(KRB5KRB_AP_ERR_MODIFIED);
+    if (plen != req->length) {
+        ret = KRB5KRB_AP_ERR_MODIFIED;
+        numresult = KRB5_KPASSWD_MALFORMED;
+        strlcpy(strresult, "Request length was inconsistent",
+                sizeof(strresult));
+        goto chpwfail;
+    }
 
     /* verify version number */

More information about the cvs-krb5 mailing list