krb5 commit [krb5-1.11]: Fix kadm5/gssrpc XDR double free [CVE-2014-9421]

Tom Yu tlyu at mit.edu
Fri Feb 6 18:58:51 EST 2015


https://github.com/krb5/krb5/commit/0515f9e7b1d044f68e978f7192cd1e0fc4f5790f
commit 0515f9e7b1d044f68e978f7192cd1e0fc4f5790f
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sat Dec 27 14:16:13 2014 -0500

    Fix kadm5/gssrpc XDR double free [CVE-2014-9421]
    
    [MITKRB5-SA-2015-001] In auth_gssapi_unwrap_data(), do not free
    partial deserialization results upon failure to deserialize.  This
    responsibility belongs to the callers, svctcp_getargs() and
    svcudp_getargs(); doing it in the unwrap function results in freeing
    the results twice.
    
    In xdr_krb5_tl_data() and xdr_krb5_principal(), null out the pointers
    we are freeing, as other XDR functions such as xdr_bytes() and
    xdr_string().
    
    (cherry picked from commit a197e92349a4aa2141b5dff12e9dd44c2a2166e3)
    
    ticket: 8074 (new)
    version_fixed: 1.11.6
    status: resolved

 src/lib/kadm5/kadm_rpc_xdr.c   |    2 ++
 src/lib/rpc/auth_gssapi_misc.c |    1 -
 2 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 153b962..43079b6 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head)
 	       free(tl);
 	       tl = tl2;
 	  }
+	  *tl_data_head = NULL;
 	  break;
 
      case XDR_ENCODE:
@@ -1095,6 +1096,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp)
     case XDR_FREE:
 	if(*objp != NULL)
 	    krb5_free_principal(context, *objp);
+	*objp = NULL;
 	break;
     }
     return TRUE;
diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c
index 53bdb98..a05ea19 100644
--- a/src/lib/rpc/auth_gssapi_misc.c
+++ b/src/lib/rpc/auth_gssapi_misc.c
@@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data(
      if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) {
 	  PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n"));
 	  gss_release_buffer(minor, &out_buf);
-	  xdr_free(xdr_func, xdr_ptr);
 	  XDR_DESTROY(&temp_xdrs);
 	  return FALSE;
      }


More information about the cvs-krb5 mailing list