git: fed526b0af2b - stable/13 - heimdal: Fix uninitialized pointer dereference
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 01 Dec 2022 14:25:29 UTC
The branch stable/13 has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=fed526b0af2bd709f8d187f0c7529d710d3a1bb0
commit fed526b0af2bd709f8d187f0c7529d710d3a1bb0
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-11-25 23:29:14 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-12-01 14:25:10 +0000
heimdal: Fix uninitialized pointer dereference
krb5_ret_preincipal() returns a non-zero return code when
a garbage principal is passed to it. Unfortunately ret_principal_ent()
does not check the return code, with garbage pointing to what would
have been the principal. This results in a segfault when free() is
called.
PR: 267944, 267972
Reported by: Robert Morris <rtm@lcs.mit.edu>
(cherry picked from commit e13150e28c93d9e74f419dcd17d2e2bad41715ad)
---
crypto/heimdal/lib/kadm5/marshall.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c
index fa7388b692fe..292cdf6107e8 100644
--- a/crypto/heimdal/lib/kadm5/marshall.c
+++ b/crypto/heimdal/lib/kadm5/marshall.c
@@ -187,9 +187,9 @@ ret_principal_ent(krb5_storage *sp,
int i;
int32_t tmp;
- if (mask & KADM5_PRINCIPAL)
- krb5_ret_principal(sp, &princ->principal);
-
+ if (mask & KADM5_PRINCIPAL)
+ if (krb5_ret_principal(sp, &princ->principal))
+ return EINVAL;
if (mask & KADM5_PRINC_EXPIRE_TIME) {
krb5_ret_int32(sp, &tmp);
princ->princ_expire_time = tmp;
@@ -208,9 +208,10 @@ ret_principal_ent(krb5_storage *sp,
}
if (mask & KADM5_MOD_NAME) {
krb5_ret_int32(sp, &tmp);
- if(tmp)
- krb5_ret_principal(sp, &princ->mod_name);
- else
+ if(tmp) {
+ if (krb5_ret_principal(sp, &princ->mod_name))
+ return EINVAL;
+ } else
princ->mod_name = NULL;
}
if (mask & KADM5_MOD_TIME) {