[31250] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.20]: Fix possible double-free during KDB creation

daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Tue Jul 11 18:56:48 2023

From: ghudson@mit.edu
To: <cvs-krb5@mit.edu>
Message-ID: <20230711225642.9716D102D2C@krbdev.mit.edu>
Date: Tue, 11 Jul 2023 18:56:42 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/81a226597d5d92c0c96a063da53a586a7cdd9bb7
commit 81a226597d5d92c0c96a063da53a586a7cdd9bb7
Author: Julien Rische <jrische@redhat.com>
Date:   Wed Feb 1 15:57:26 2023 +0100

    Fix possible double-free during KDB creation
    
    In krb5_dbe_def_encrypt_key_data(), when we free
    key_data->key_data_contents[0], reset it to null so the caller doesn't
    free it as well.
    
    Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
    manifests as a double-free during KDB creation if master key
    encryption fails.
    
    [ghudson@mit.edu: edited commit message]
    
    (cherry picked from commit fddd419fc4112a118d8091e296cc2bfa8d8f777b)
    
    ticket: 9086
    version_fixed: 1.20.2

 src/lib/kdb/encrypt_key.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c
index dc612c810..91debea53 100644
--- a/src/lib/kdb/encrypt_key.c
+++ b/src/lib/kdb/encrypt_key.c
@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context             context,
     if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,
                                  &plain, &cipher))) {
         free(key_data->key_data_contents[0]);
+        key_data->key_data_contents[0] = NULL;
         return retval;
     }
 
@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context             context,
                 key_data->key_data_contents[1] = malloc(keysalt->data.length);
                 if (key_data->key_data_contents[1] == NULL) {
                     free(key_data->key_data_contents[0]);
+                    key_data->key_data_contents[0] = NULL;
                     return ENOMEM;
                 }
                 memcpy(key_data->key_data_contents[1], keysalt->data.data,
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post