[3269] in Kerberos-V5-bugs
krb5-libs/1014: decrypt_credencdata() double-free()s on error.
daemon@ATHENA.MIT.EDU (jhawk@MIT.EDU)
Mon Nov 12 23:07:04 2001
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, jhawk@MIT.EDU
Message-Id: <200111130403.XAA03787@PICKLED-HERRING.MIT.EDU>
Date: Mon, 12 Nov 2001 23:03:00 -0500
From: jhawk@MIT.EDU
Reply-To: jhawk@MIT.EDU
To: krb5-bugs@mit.edu
>Number: 1014
>Category: krb5-libs
>Synopsis: decrypt_credencdata() double-free()s on error.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Nov 12 23:07:00 EST 2001
>Last-Modified:
>Originator: John Hawkinson
>Organization:
MIT
>Release: krb5-1.2
>Environment:
System: Linux PICKLED-HERRING.MIT.EDU 2.4.9-6 #1 Thu Oct 18 09:39:55 EDT 2001 i686 unknown
Architecture: i686
>Description:
decrypt_credencdata() can double free() a pointer in the event
of an error. Herein:
38 /* now decode the decrypted stuff */
39 if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
40 goto cleanup_encpart;
however, decode_krb5_enc_cred_part() will free ppart in the event of
an error return:
45 cleanup_encpart:
46 memset(ppart, 0, sizeof(*ppart));
47 krb5_xfree(ppart);
Unfortunately, decode_krb5_enc_cred_part() has already freed it:
601 krb5_error_code decode_krb5_enc_cred_part(code, rep)
602 const krb5_data * code;
603 krb5_cred_enc_part ** rep;
...
606 alloc_field(*rep,krb5_cred_enc_part);
...
624 error_out:
625 if (rep && *rep) {
626 free_field(*rep,r_address);
627 free_field(*rep,s_address);
628 free(*rep);
(*rep is ppart here).
>How-To-Repeat:
Have a krb5 exchange where the server and the client have
different ideas of what is encrypted and what is not, or
perhaps a case where you try to forward tickets in the context
of having failed authorization (i.e. failed kuserok), and
end up having decode_krb5_enc_cred_part() fail with
"ASN.1 identifier doesn't match expected value."
>Fix:
One of them shouldn't be free()-ing this. You figure out which.
>Audit-Trail:
>Unformatted:
