diff options
author | Cy Schubert <cy@FreeBSD.org> | 2022-11-25 23:29:14 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2022-11-27 02:41:51 +0000 |
commit | e13150e28c93d9e74f419dcd17d2e2bad41715ad (patch) | |
tree | 92a950b3a46e7181a06df44d03e034a2aa72d195 | |
parent | 41e85e8e35e98af3f2f8032b57774eb3489ff45c (diff) | |
download | src-e13150e28c93d9e74f419dcd17d2e2bad41715ad.tar.gz src-e13150e28c93d9e74f419dcd17d2e2bad41715ad.zip |
heimdal: Fix uninitialized pointer dereference
krb5_ret_preincipal() returns a non-zero return code when
a garbage principal is passed to it. Unfortunately ret_principal_ent()
does not check the return code, with garbage pointing to what would
have been the principal. This results in a segfault when free() is
called.
PR: 267944, 267972
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
-rw-r--r-- | crypto/heimdal/lib/kadm5/marshall.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c index fa7388b692fe..292cdf6107e8 100644 --- a/crypto/heimdal/lib/kadm5/marshall.c +++ b/crypto/heimdal/lib/kadm5/marshall.c @@ -187,9 +187,9 @@ ret_principal_ent(krb5_storage *sp, int i; int32_t tmp; - if (mask & KADM5_PRINCIPAL) - krb5_ret_principal(sp, &princ->principal); - + if (mask & KADM5_PRINCIPAL) + if (krb5_ret_principal(sp, &princ->principal)) + return EINVAL; if (mask & KADM5_PRINC_EXPIRE_TIME) { krb5_ret_int32(sp, &tmp); princ->princ_expire_time = tmp; @@ -208,9 +208,10 @@ ret_principal_ent(krb5_storage *sp, } if (mask & KADM5_MOD_NAME) { krb5_ret_int32(sp, &tmp); - if(tmp) - krb5_ret_principal(sp, &princ->mod_name); - else + if(tmp) { + if (krb5_ret_principal(sp, &princ->mod_name)) + return EINVAL; + } else princ->mod_name = NULL; } if (mask & KADM5_MOD_TIME) { |