Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix kadm5/gssrpc XDR double free [CVE-2014-9421]
[MITKRB5-SA-2015-001] In auth_gssapi_unwrap_data(), do not free
partial deserialization results upon failure to deserialize.  This
responsibility belongs to the callers, svctcp_getargs() and
svcudp_getargs(); doing it in the unwrap function results in freeing
the results twice.

In xdr_krb5_tl_data() and xdr_krb5_principal(), null out the pointers
we are freeing, as other XDR functions such as xdr_bytes() and
xdr_string().

ticket: 8056 (new)
target_version: 1.13.1
tags: pullup
  • Loading branch information
greghudson committed Feb 4, 2015
1 parent 82dc33d commit a197e92
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 1 deletion.
2 changes: 2 additions & 0 deletions src/lib/kadm5/kadm_rpc_xdr.c
Expand Up @@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head)
free(tl);
tl = tl2;
}
*tl_data_head = NULL;
break;

case XDR_ENCODE:
Expand Down Expand Up @@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp)
case XDR_FREE:
if(*objp != NULL)
krb5_free_principal(context, *objp);
*objp = NULL;
break;
}
return TRUE;
Expand Down
1 change: 0 additions & 1 deletion src/lib/rpc/auth_gssapi_misc.c
Expand Up @@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data(
if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) {
PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n"));
gss_release_buffer(minor, &out_buf);
xdr_free(xdr_func, xdr_ptr);
XDR_DESTROY(&temp_xdrs);
return FALSE;
}
Expand Down

0 comments on commit a197e92

Please sign in to comment.