d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

heimdal: Fix uninitialized pointer dereference

Browse Source 
krb5_ret_preincipal() returns a non-zero return code when
a garbage principal is passed to it. Unfortunately ret_principal_ent()
does not check the return code, with garbage pointing to what would
have been the principal. This results in a segfault when free() is
called.

PR:		267944, 267972
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFC after:	3 days
This commit is contained in:
Cy Schubert 2022-11-25 15:29:14 -08:00
parent 41e85e8e35
commit e13150e28c
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
crypto/heimdal/lib/kadm5/marshall.c
View File

@ -187,9 +187,9 @@ ret_principal_ent(krb5_storage *sp,
int i;
int32_t tmp;
if (mask & KADM5_PRINCIPAL)
krb5_ret_principal(sp, &princ->principal);
if (mask & KADM5_PRINCIPAL)
if (krb5_ret_principal(sp, &princ->principal))
return EINVAL;
if (mask & KADM5_PRINC_EXPIRE_TIME) {
krb5_ret_int32(sp, &tmp);
princ->princ_expire_time = tmp;
@ -208,9 +208,10 @@ ret_principal_ent(krb5_storage *sp,
}
if (mask & KADM5_MOD_NAME) {
krb5_ret_int32(sp, &tmp);
if(tmp)
krb5_ret_principal(sp, &princ->mod_name);
else
if(tmp) {
if (krb5_ret_principal(sp, &princ->mod_name))
return EINVAL;
} else
princ->mod_name = NULL;
}
if (mask & KADM5_MOD_TIME) {