[31491] in CVS-changelog-for-Kerberos-V5
krb5 commit: Improve safety of KDC AS-REQ processing cleanup
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Tue Jan 20 17:00:49 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260120220044.ADCF6104276@krbdev.mit.edu>
Date: Tue, 20 Jan 2026 17:00:44 -0500 (EST)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/dc0fb445d8236ed2d5121f6d9876f91a69c25605
commit dc0fb445d8236ed2d5121f6d9876f91a69c25605
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Dec 11 02:43:59 2025 -0500
Improve safety of KDC AS-REQ processing cleanup
In finish_process_as_req(), don't clean up
state->reply.enc_part.ciphertext until the end of the function.
Otherwise a dangling pointer appears in the structure while it is used
several times, including potentially by audit plugin modules.
Omit the memset() to 0 for this and
state->ticket_reply.enc_part.ciphertext, as ciphertexts are not
secrets.
src/kdc/do_as_req.c | 14 ++------------
1 file changed, 2 insertions(+), 12 deletions(-)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 5d588e5be..4dbb6ae67 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -331,12 +331,6 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
if (errcode)
goto egress;
- /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
- can use them in raw form if needed. But, we don't... */
- memset(state->reply.enc_part.ciphertext.data, 0,
- state->reply.enc_part.ciphertext.length);
- free(state->reply.enc_part.ciphertext.data);
-
log_as_req(context, state->local_addr, state->remote_addr,
state->request, &state->reply, state->client, state->cname,
state->server, state->sname, state->kdc_time, 0, 0, 0);
@@ -405,12 +399,8 @@ egress:
krb5_db_free_principal(context, state->local_tgt_storage);
if (state->session_key.contents != NULL)
krb5_free_keyblock_contents(context, &state->session_key);
- if (state->ticket_reply.enc_part.ciphertext.data != NULL) {
- memset(state->ticket_reply.enc_part.ciphertext.data , 0,
- state->ticket_reply.enc_part.ciphertext.length);
- free(state->ticket_reply.enc_part.ciphertext.data);
- }
-
+ free(state->ticket_reply.enc_part.ciphertext.data);
+ free(state->reply.enc_part.ciphertext.data);
krb5_free_pa_data(context, state->e_data);
krb5_free_data(context, state->inner_body);
kdc_free_rstate(state->rstate);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
