From 390c515e13dffc8c00b44623cba47e27c2f20cf7 Mon Sep 17 00:00:00 2001

From: Greg Hudson <ghudson@mit.edu>

Date: Tue, 27 Mar 2018 10:36:05 -0400

Subject: [PATCH] Fix SPAKE memory leak

In the NIST group implementations, ossl_fini() needs to free the

groupdata container as well as its fields.  Also in

spake_kdc.c:parse_data(), initialize the magic field of the resulting

data object to avoid a harmless uninitialized memory copy.

ticket: 8647

(cherry picked from commit 70b88b8018658e052d6eabf06f8fdad17fbe993c)

---

 src/plugins/preauth/spake/openssl.c   | 1 +

 src/plugins/preauth/spake/spake_kdc.c | 1 +

 2 files changed, 2 insertions(+)

diff --git a/src/plugins/preauth/spake/openssl.c b/src/plugins/preauth/spake/openssl.c

index b821a9158..f2e4b53ec 100644

--- a/src/plugins/preauth/spake/openssl.c

+++ b/src/plugins/preauth/spake/openssl.c

@@ -69,6 +69,7 @@ ossl_fini(groupdata *gd)

     EC_POINT_free(gd->N);

     BN_CTX_free(gd->ctx);

     BN_free(gd->order);

+    free(gd);

 }

 static krb5_error_code

diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c

index c1723ebaf..59e88409e 100644

--- a/src/plugins/preauth/spake/spake_kdc.c

+++ b/src/plugins/preauth/spake/spake_kdc.c

@@ -75,6 +75,7 @@ parse_data(struct k5input *in, krb5_data *out)

 {

     out->length = k5_input_get_uint32_be(in);

     out->data = (char *)k5_input_get_bytes(in, out->length);

+    out->magic = KV5M_DATA;

 }

 /* Parse a received cookie into its components.  The pointers stored in the