[362] in Kerberos-V5-bugs
bug in sendauth
daemon@ATHENA.MIT.EDU (Jim Miller)
Wed Sep 29 21:16:41 1993
From: jim@bilbo.suite.com (Jim Miller)
Date: Wed, 29 Sep 93 20:05:01 -0500
To: krb5-bugs@MIT.EDU
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
The code is from Kerberos 5, pre-beta 3. I don't know if the same bug exists
in earlier versions of krb5.
In the file lib/sendauth.c: If the call to "krb5_rd_rep" returns a failure
status and the failure occured before "krb5_rd_rep" set the "repl" parameter
(which it almost always would), then the call to "krb5_free_ap_rep_enc_part"
fails with a memory access violation.
Here's the code:
if ((ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) {
krb5_ap_rep_enc_part *repl; <-*** not initialized
krb5_error_code problem = 0;
if (retval = krb5_read_message(fd, &inbuf)) {
krb5_free_cred_contents(&creds);
memset((char *)&authent, 0, sizeof(authent));
return(retval);
}
problem = krb5_rd_rep(&inbuf,
&credsp->keyblock,
&repl); <-*** doesn't get set if error
occurs in krb5_rd_rep
if (problem || ((repl->ctime != authent.ctime) ||
(repl->cusec != authent.cusec)))
problem = KRB5_SENDAUTH_MUTUAL_FAILED;
memset((char *)&authent, 0, sizeof(authent));
krb5_free_cred_contents(&creds);
xfree(inbuf.data);
if (problem) {
krb5_free_ap_rep_enc_part(repl); <-*** repl is garbage
return(problem);
}
Suggested fix:
if ((ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) {
! krb5_ap_rep_enc_part *repl = 0; <-*** init to nil
krb5_error_code problem = 0;
.
.
.
if (problem) {
! if (repl) krb5_free_ap_rep_enc_part(repl); <-*** check
return(problem);
}
Jim_Miller@suite.com
