krb5 commit: Fix unlikely password change leak

ghudson at mit.edu ghudson at mit.edu
Fri Oct 18 15:55:51 EDT 2024 

https://github.com/krb5/krb5/commit/038793c3083f44c4fb62626c12f80c80147029cf
commit 038793c3083f44c4fb62626c12f80c80147029cf
Author: Andreas Schneider <asn at cryptomilk.org>
Date:   Fri Oct 11 12:45:13 2024 +0200

    Fix unlikely password change leak
    
    In kpasswd_sendto_msg_callback(), if getsockname() does not reveal the
    local address, a copy of the first local address's contents is made
    and never freed.  Instead of making an allocated copy of the address
    contents, make a shallow copy of the whole address.  Delay freeing the
    address array until the end of the function so that alias pointer made
    by the shallow copy remains valid.
    
    [ghudson at mit.edu: further simplified code; rewrote commit message]

 src/lib/krb5/os/changepw.c | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index c59232586..bc132bc33 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -115,6 +115,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
     struct sendto_callback_context      *ctx = data;
     GETSOCKNAME_ARG3_TYPE               addrlen;
     krb5_data                           output;
+    krb5_address                        **addrs = NULL;
 
     memset (message, 0, sizeof(krb5_data));
 
@@ -143,20 +144,10 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
         local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
         local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
     } else {
-        krb5_address **addrs;
-
         code = krb5_os_localaddr(ctx->context, &addrs);
         if (code)
             goto cleanup;
-
-        local_kaddr.magic = addrs[0]->magic;
-        local_kaddr.addrtype = addrs[0]->addrtype;
-        local_kaddr.length = addrs[0]->length;
-        local_kaddr.contents = k5memdup(addrs[0]->contents, addrs[0]->length,
-                                        &code);
-        krb5_free_addresses(ctx->context, addrs);
-        if (local_kaddr.contents == NULL)
-            goto cleanup;
+        local_kaddr = *addrs[0];
     }
 
 
@@ -193,6 +184,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
     message->data = output.data;
 
 cleanup:
+    krb5_free_addresses(ctx->context, addrs);
     return code;
 }

More information about the cvs-krb5 mailing list