From 98bdf4755d5c0256d26ba6a6aed6b9e649adf941 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Mon, 18 Jul 2016 15:00:02 +0200 Subject: [PATCH] Heap corruption in ipapwd plugin ipapwd_encrypt_encode_key allocates 'kset' on the heap but with num_keys and keys not being initialized. Then ipa_krb5_generate_key_data initializes them with the generated keys. If ipa_krb5_generate_key_data fails (here EINVAL meaning no principal->realm.data), num_keys and keys are left uninitialized. Upon failure, ipapwd_keyset_free is called to free 'kset' that contains random num_keys and keys. allocates kset with calloc so that kset->num_keys==0 and kset->keys==NULL https://fedorahosted.org/freeipa/ticket/6030 Reviewed-By: Simo Sorce Reviewed-By: Lukas Slebodnik --- daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c index 9c62f0560aa999b2179a7767040047dfa89288e0..7b2f341229b4f3bf48105c3856c0d6778da154a5 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c @@ -157,7 +157,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, pwd.length = strlen(data->password); } - kset = malloc(sizeof(struct ipapwd_keyset)); + kset = (struct ipapwd_keyset *) calloc(1, sizeof(struct ipapwd_keyset)); if (!kset) { LOG_OOM(); goto enc_error; -- 2.7.4