Skip to content

Commit a197e92

Browse files
committed
Fix kadm5/gssrpc XDR double free [CVE-2014-9421]
[MITKRB5-SA-2015-001] In auth_gssapi_unwrap_data(), do not free partial deserialization results upon failure to deserialize. This responsibility belongs to the callers, svctcp_getargs() and svcudp_getargs(); doing it in the unwrap function results in freeing the results twice. In xdr_krb5_tl_data() and xdr_krb5_principal(), null out the pointers we are freeing, as other XDR functions such as xdr_bytes() and xdr_string(). ticket: 8056 (new) target_version: 1.13.1 tags: pullup
1 parent 82dc33d commit a197e92

File tree

2 files changed

+2
-1
lines changed

2 files changed

+2
-1
lines changed

Diff for: src/lib/kadm5/kadm_rpc_xdr.c

+2
Original file line numberDiff line numberDiff line change
@@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head)
320320
free(tl);
321321
tl = tl2;
322322
}
323+
*tl_data_head = NULL;
323324
break;
324325

325326
case XDR_ENCODE:
@@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp)
10961097
case XDR_FREE:
10971098
if(*objp != NULL)
10981099
krb5_free_principal(context, *objp);
1100+
*objp = NULL;
10991101
break;
11001102
}
11011103
return TRUE;

Diff for: src/lib/rpc/auth_gssapi_misc.c

-1
Original file line numberDiff line numberDiff line change
@@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data(
322322
if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) {
323323
PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n"));
324324
gss_release_buffer(minor, &out_buf);
325-
xdr_free(xdr_func, xdr_ptr);
326325
XDR_DESTROY(&temp_xdrs);
327326
return FALSE;
328327
}

0 commit comments

Comments
 (0)