[30836] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Fix leak in KERB_AP_OPTIONS_CBT server support

daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Aug 4 14:15:30 2020

Date: Tue, 4 Aug 2020 14:15:04 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202008041815.074IF42K022967@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/bf2ddff13c178e0c291f8fb382b040080d159e4f
commit bf2ddff13c178e0c291f8fb382b040080d159e4f
Author: Greg Hudson <ghudson@mit.edu>
Date:   Fri Jul 24 16:05:24 2020 -0400

    Fix leak in KERB_AP_OPTIONS_CBT server support
    
    In check_cbt(), use a local variable to hold the retrieved authdata
    list, and free it before returning.
    
    ticket: 8900

 src/lib/gssapi/krb5/accept_sec_context.c |   23 +++++++++++++----------
 1 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 7fefbf0..85be82e 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -433,27 +433,30 @@ static const uint8_t null_cb[CB_MD5_LEN];
 /* Look for AP_OPTIONS in authdata.  If present and the options include
  * KERB_AP_OPTIONS_CBT, set *cbt_out to true. */
 static krb5_error_code
-check_cbt(krb5_context context, krb5_authdata **authdata,
+check_cbt(krb5_context context, krb5_authdata *const *authdata,
           krb5_boolean *cbt_out)
 {
     krb5_error_code code;
+    krb5_authdata **ad;
     uint32_t ad_ap_options;
     const uint32_t KERB_AP_OPTIONS_CBT = 0x4000;
 
     *cbt_out = FALSE;
 
     code = krb5_find_authdata(context, NULL, authdata,
-                              KRB5_AUTHDATA_AP_OPTIONS, &authdata);
-    if (code || authdata == NULL)
+                              KRB5_AUTHDATA_AP_OPTIONS, &ad);
+    if (code || ad == NULL)
         return code;
-    if (authdata[1] != NULL || authdata[0]->length != 4)
-        return KRB5KRB_AP_ERR_MSG_TYPE;
-
-    ad_ap_options = load_32_le(authdata[0]->contents);
-    if (ad_ap_options & KERB_AP_OPTIONS_CBT)
-        *cbt_out = TRUE;
+    if (ad[1] != NULL || ad[0]->length != 4) {
+        code = KRB5KRB_AP_ERR_MSG_TYPE;
+    } else {
+        ad_ap_options = load_32_le(ad[0]->contents);
+        if (ad_ap_options & KERB_AP_OPTIONS_CBT)
+            *cbt_out = TRUE;
+    }
 
-    return 0;
+    krb5_free_authdata(context, ad);
+    return code;
 }
 
 /*
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post