[16071] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8708] Incorrect error handling in OTP plugin

daemon@ATHENA.MIT.EDU (Robbie Harwood via RT)
Thu Jun 21 14:38:26 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Robbie Harwood via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8708@krbdev.mit.edu>
Message-ID: <rt-8708-48678.11.9903985877432@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8708'":;
Date: Thu, 21 Jun 2018 14:38:20 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

In otp_state.c:callback(), if we did not receive an accept packet, but
were not out of tokens, we invoke request_send() and then fall through
to the error case.  This results in two things happening:

- First, we yield a failure.  If request_send() succeeded, then we
  erroneously report failure.  But if request_send() has failed, we
  report the failure again, and request_send() has already freed the
  request object (making this a use-after-free).

- Second, we call request_free().  However, since request_send()
  may have already freed the request, this is a double-free.

Thanks,
--Robbie

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home help back first fref pref prev next nref lref last post