rpms / krb5

Clone
Source Code
GIT

Blame SOURCES/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   0e708d5f341a1cf613e8d3607d89d1a6d5b6359d
  2.   SOURCES
  3.   Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
Blob History Raw
27013b 
From 7a87189f7bdabc144e22d4caa6a0785a06416d8f Mon Sep 17 00:00:00 2001
31ace6 
From: Greg Hudson <ghudson@mit.edu>
31ace6 
Date: Fri, 24 Jul 2020 16:05:24 -0400
31ace6 
Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support
31ace6
31ace6 
In check_cbt(), use a local variable to hold the retrieved authdata
31ace6 
list, and free it before returning.
31ace6
31ace6 
ticket: 8900
31ace6 
(cherry picked from commit bf2ddff13c178e0c291f8fb382b040080d159e4f)
31ace6 
(cherry picked from commit 044e2209586fd1935d9a637df76d52f48c4f3e6e)
31ace6 
---
31ace6 
 src/lib/gssapi/krb5/accept_sec_context.c | 23 +++++++++++++----------
31ace6 
 1 file changed, 13 insertions(+), 10 deletions(-)
31ace6
31ace6 
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
31ace6 
index 175a24c4e..3d5b84b15 100644
31ace6 
--- a/src/lib/gssapi/krb5/accept_sec_context.c
31ace6 
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
31ace6 
@@ -433,27 +433,30 @@ static const uint8_t null_cb[CB_MD5_LEN];
31ace6 
 /* Look for AP_OPTIONS in authdata.  If present and the options include
31ace6 
  * KERB_AP_OPTIONS_CBT, set *cbt_out to true. */
31ace6 
 static krb5_error_code
31ace6 
-check_cbt(krb5_context context, krb5_authdata **authdata,
31ace6 
+check_cbt(krb5_context context, krb5_authdata *const *authdata,
31ace6 
           krb5_boolean *cbt_out)
31ace6 
 {
31ace6 
     krb5_error_code code;
31ace6 
+    krb5_authdata **ad;
31ace6 
     uint32_t ad_ap_options;
31ace6 
     const uint32_t KERB_AP_OPTIONS_CBT = 0x4000;
31ace6
31ace6 
     *cbt_out = FALSE;
31ace6
31ace6 
     code = krb5_find_authdata(context, NULL, authdata,
31ace6 
-                              KRB5_AUTHDATA_AP_OPTIONS, &authdata);
31ace6 
-    if (code || authdata == NULL)
31ace6 
+                              KRB5_AUTHDATA_AP_OPTIONS, &ad;;
31ace6 
+    if (code || ad == NULL)
31ace6 
         return code;
31ace6 
-    if (authdata[1] != NULL || authdata[0]->length != 4)
31ace6 
-        return KRB5KRB_AP_ERR_MSG_TYPE;
31ace6 
+    if (ad[1] != NULL || ad[0]->length != 4) {
31ace6 
+        code = KRB5KRB_AP_ERR_MSG_TYPE;
31ace6 
+    } else {
31ace6 
+        ad_ap_options = load_32_le(ad[0]->contents);
31ace6 
+        if (ad_ap_options & KERB_AP_OPTIONS_CBT)
31ace6 
+            *cbt_out = TRUE;
31ace6 
+    }
31ace6
31ace6 
-    ad_ap_options = load_32_le(authdata[0]->contents);
31ace6 
-    if (ad_ap_options & KERB_AP_OPTIONS_CBT)
31ace6 
-        *cbt_out = TRUE;
31ace6 
-
31ace6 
-    return 0;
31ace6 
+    krb5_free_authdata(context, ad);
31ace6 
+    return code;
31ace6 
 }
31ace6
31ace6 
 /*

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation