Skip to content

Commit

Permalink
ticket: 6448
Browse files Browse the repository at this point in the history 
subject: CVE-2009-0846 (1.6.x) asn1_decode_generaltime can free uninitialized pointer
tags: pullup
target_version: 1.6.4
version_fixed: 1.6.4

pull up rxxxx from trunk

The asn1_decode_generaltime() function can free an uninitialized
pointer if asn1buf_remove_charstring() fails.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22181 dc483132-0cff-0310-8789-dd5450dbe970
  • Loading branch information
tlyu committed Apr 8, 2009
1 parent d77fcec commit 0bfa172
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/lib/krb5/asn.1/asn1_decode.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)

if(length != 15) return ASN1_BAD_LENGTH;
retval = asn1buf_remove_charstring(buf,15,&s);
if (retval) return retval;
/* Time encoding: YYYYMMDDhhmmssZ */
if(s[14] != 'Z') {
free(s);
Expand Down
16 changes: 16 additions & 0 deletions src/tests/asn.1/krb5_decode_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -485,6 +485,22 @@ int main(argc, argv)
ktest_destroy_keyblock(&(ref.subkey));
ref.seq_number = 0;
decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);

retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
if (retval) {
com_err("krb5_decode_test", retval, "while parsing");
exit(1);
}
retval = decode_krb5_ap_rep_enc_part(&code, &var);
if (retval != ASN1_OVERRUN) {
printf("ERROR: ");
} else {
printf("OK: ");
}
printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
krb5_free_data_contents(test_context, &code);
if (!retval) krb5_free_ap_rep_enc_part(test_context, var);

ktest_empty_ap_rep_enc_part(&ref);
}

Expand Down

0 comments on commit 0bfa172

Please sign in to comment.