[341] in Kerberos-V5-bugs
bugs in pwds2kpwds.c, f_pwd_seq
daemon@ATHENA.MIT.EDU (Jim Miller)
Thu Sep 16 18:09:41 1993
From: jim@bilbo.suite.com (Jim Miller)
Date: Thu, 16 Sep 93 16:56:46 -0500
To: krb5-bugs@MIT.EDU
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
[The following code is from Krb5, pre-beta 3. However, I think the bugs also
exist in Krb5, beta 2]
The code that frees the password data and password sequences has a few bugs.
One bug exists in pwds2kpwds.c, the other bug exists in f_pwd_seq.c
Here's the code in question:
>From pwds2kpwds.c
register passwd_phrase_element **element;
.
.
.
for (i = 0, rv = seq_ptr; rv; rv = rv->next, i++) {
element[i] = KRB5_PWD__SEQ2krb5_pwd_seq(rv->PasswdSequence,
error);
if(!element[i]) {
while(i >= 0) {
krb5_free_pwd_sequences(element[i]); <- *** passes wrong type
i--;
}
xfree(element);
goto errout;
}
}
>From f_pwd_seq.c
void
krb5_free_pwd_sequences(val)
passwd_phrase_element **val; <- *** pwd2kpwds passes (passwd_phrase_element *)
{
if ((*val)->passwd)
xfree((*val)->passwd);
if ((*val)->phrase)
xfree((*val)->phrase);
return;
}
The code in pwd2kpwds.c passes "element[i]" to krb5_free_pwd_sequences.
However, "element[i]" is of type (passwd_phrase_element *), whereas the
function krb5_free_pwd_sequences expects (passwd_phrase_element **). Oops.
And another thing...(*val)->passwd and (*val)->phrase are both of type
(krb5_data *). The code should be something like:
if ((*val)->passwd && (*val)->passwd->data) {
xfree((*val)->passwd->data);
xfree((*val)->passwd);
}
if ((*val)->phrase && (*val)->phrase->data) {
xfree((*val)->phrase->data);
xfree((*val)->phrase);
}
It looks to me that all the code that deals with freeing the password data
needs to be re-written. Take a look at krb5_free_pwd_data:
void
krb5_free_pwd_data(val)
krb5_pwd_data *val;
{
if (val->element)
krb5_free_pwd_sequences(val->element);
xfree(val);
return;
}
It looks innocent enough until you remember that krb5_free_pwd_sequences only
frees one element, rather than the entire element list.
Jim_Miller@suite.com
