[1032] in Kerberos-V5-bugs
adm_modify_kdb shares salt memory
daemon@ATHENA.MIT.EDU (Jim Miller)
Tue Jan 3 22:14:24 1995
From: jim@bilbo.suite.com (Jim Miller)
Date: Tue, 3 Jan 95 21:14:25 -0600
To: krb5-bugs@MIT.EDU
Reply-To: Jim_Miller@suite.com
This bug report is for KRB5, beta 4, patchlevel 3.
The function "adm_modify_kdb" (kadmin/server/adm_funcs) has the following
lines of code:
if (salt) {
.
entry->salt = (krb5_octet *) salt->saltdata.data;
and
if (altsalt) {
.
entry->alt_salt = (krb5_octet *) altsalt->saltdata.data;
As you can see, this function is sharing the caller's salt and altsalt
data buffers. This routine should make its own copy of the salt data to
prevent double freeing. (The salt memory sometimes gets freed twice, once
by "adm_enter_pwd_key", and later by "krb5_db_free_principal".)
Here's what I've done:
if (salt) {
kdb5_data *tmp_data;
entry->salt_type = salt->salttype;
retval = kdb5_copy_data(salt->saltdata, &tmp_data);
entry->salt_length = tmp_data->length;
entry->salt = (krb5_octet *)tmp_data->data;
krb5_xfree(tmp_data);
} else {
.
.
and
if (altsalt) {
krb5_data *tmp_data;
entry->alt_salt_type = altsalt->salttype;
retval = krb5_copy_data(altsalt->saltdata, &tmp_data);
entry->alt_salt_length = tmp_data->length;
entry->alt_salt = (krb5_octet *)tmp_data->data;
krb5_xfree(tmp_data);
} else {
.
.
I also put in code to check the return value of "krb5_copy_data", but I
removed it from this post for brevity.
Also, "adm_enter_rnd_pwd_key" needs to be modified to free its salt
buffer.
Jim_Miller@suite.com
P.S. These mods are untested. :-)
