Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Nov 2022 02:44:02 GMT
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: e13150e28c93 - main - heimdal: Fix uninitialized pointer dereference
Message-ID:  <202211270244.2AR2i2EN088214@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=e13150e28c93d9e74f419dcd17d2e2bad41715ad

commit e13150e28c93d9e74f419dcd17d2e2bad41715ad
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-11-25 23:29:14 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-11-27 02:41:51 +0000

    heimdal: Fix uninitialized pointer dereference
    
    krb5_ret_preincipal() returns a non-zero return code when
    a garbage principal is passed to it. Unfortunately ret_principal_ent()
    does not check the return code, with garbage pointing to what would
    have been the principal. This results in a segfault when free() is
    called.
    
    PR:             267944, 267972
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    MFC after:      3 days
---
 crypto/heimdal/lib/kadm5/marshall.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c
index fa7388b692fe..292cdf6107e8 100644
--- a/crypto/heimdal/lib/kadm5/marshall.c
+++ b/crypto/heimdal/lib/kadm5/marshall.c
@@ -187,9 +187,9 @@ ret_principal_ent(krb5_storage *sp,
     int i;
     int32_t tmp;
 
-    if (mask & KADM5_PRINCIPAL)
-	krb5_ret_principal(sp, &princ->principal);
-
+    if (mask & KADM5_PRINCIPAL) 
+	if (krb5_ret_principal(sp, &princ->principal))
+	    return EINVAL;
     if (mask & KADM5_PRINC_EXPIRE_TIME) {
 	krb5_ret_int32(sp, &tmp);
 	princ->princ_expire_time = tmp;
@@ -208,9 +208,10 @@ ret_principal_ent(krb5_storage *sp,
     }
     if (mask & KADM5_MOD_NAME) {
 	krb5_ret_int32(sp, &tmp);
-	if(tmp)
-	    krb5_ret_principal(sp, &princ->mod_name);
-	else
+	if(tmp) {
+	    if (krb5_ret_principal(sp, &princ->mod_name))
+		return EINVAL;
+	} else
 	    princ->mod_name = NULL;
     }
     if (mask & KADM5_MOD_TIME) {



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202211270244.2AR2i2EN088214>