|
 |
677019 |
From ce6defae3595fc3d9980bcf5ddc4f1a6ee90d391 Mon Sep 17 00:00:00 2001
|
|
|
21cb5a |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
21cb5a |
Date: Fri, 24 Jul 2020 16:05:24 -0400
|
|
|
21cb5a |
Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support
|
|
|
21cb5a |
|
|
|
21cb5a |
In check_cbt(), use a local variable to hold the retrieved authdata
|
|
|
21cb5a |
list, and free it before returning.
|
|
|
21cb5a |
|
|
|
21cb5a |
ticket: 8900
|
|
|
21cb5a |
(cherry picked from commit bf2ddff13c178e0c291f8fb382b040080d159e4f)
|
|
|
21cb5a |
(cherry picked from commit 044e2209586fd1935d9a637df76d52f48c4f3e6e)
|
|
|
21cb5a |
---
|
|
|
21cb5a |
src/lib/gssapi/krb5/accept_sec_context.c | 23 +++++++++++++----------
|
|
|
21cb5a |
1 file changed, 13 insertions(+), 10 deletions(-)
|
|
|
21cb5a |
|
|
|
21cb5a |
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
|
|
|
21cb5a |
index 175a24c4e..3d5b84b15 100644
|
|
|
21cb5a |
--- a/src/lib/gssapi/krb5/accept_sec_context.c
|
|
|
21cb5a |
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
|
|
|
21cb5a |
@@ -433,27 +433,30 @@ static const uint8_t null_cb[CB_MD5_LEN];
|
|
|
21cb5a |
/* Look for AP_OPTIONS in authdata. If present and the options include
|
|
|
21cb5a |
* KERB_AP_OPTIONS_CBT, set *cbt_out to true. */
|
|
|
21cb5a |
static krb5_error_code
|
|
|
21cb5a |
-check_cbt(krb5_context context, krb5_authdata **authdata,
|
|
|
21cb5a |
+check_cbt(krb5_context context, krb5_authdata *const *authdata,
|
|
|
21cb5a |
krb5_boolean *cbt_out)
|
|
|
21cb5a |
{
|
|
|
21cb5a |
krb5_error_code code;
|
|
|
21cb5a |
+ krb5_authdata **ad;
|
|
|
21cb5a |
uint32_t ad_ap_options;
|
|
|
21cb5a |
const uint32_t KERB_AP_OPTIONS_CBT = 0x4000;
|
|
|
21cb5a |
|
|
|
21cb5a |
*cbt_out = FALSE;
|
|
|
21cb5a |
|
|
|
21cb5a |
code = krb5_find_authdata(context, NULL, authdata,
|
|
|
21cb5a |
- KRB5_AUTHDATA_AP_OPTIONS, &authdata);
|
|
|
21cb5a |
- if (code || authdata == NULL)
|
|
|
21cb5a |
+ KRB5_AUTHDATA_AP_OPTIONS, &ad;;
|
|
|
21cb5a |
+ if (code || ad == NULL)
|
|
|
21cb5a |
return code;
|
|
|
21cb5a |
- if (authdata[1] != NULL || authdata[0]->length != 4)
|
|
|
21cb5a |
- return KRB5KRB_AP_ERR_MSG_TYPE;
|
|
|
21cb5a |
+ if (ad[1] != NULL || ad[0]->length != 4) {
|
|
|
21cb5a |
+ code = KRB5KRB_AP_ERR_MSG_TYPE;
|
|
|
21cb5a |
+ } else {
|
|
|
21cb5a |
+ ad_ap_options = load_32_le(ad[0]->contents);
|
|
|
21cb5a |
+ if (ad_ap_options & KERB_AP_OPTIONS_CBT)
|
|
|
21cb5a |
+ *cbt_out = TRUE;
|
|
|
21cb5a |
+ }
|
|
|
21cb5a |
|
|
|
21cb5a |
- ad_ap_options = load_32_le(authdata[0]->contents);
|
|
|
21cb5a |
- if (ad_ap_options & KERB_AP_OPTIONS_CBT)
|
|
|
21cb5a |
- *cbt_out = TRUE;
|
|
|
21cb5a |
-
|
|
|
21cb5a |
- return 0;
|
|
|
21cb5a |
+ krb5_free_authdata(context, ad);
|
|
|
21cb5a |
+ return code;
|
|
|
21cb5a |
}
|
|
|
21cb5a |
|
|
|
21cb5a |
/*
|