From 7a87189f7bdabc144e22d4caa6a0785a06416d8f Mon Sep 17 00:00:00 2001

From: Greg Hudson <ghudson@mit.edu>

Date: Fri, 24 Jul 2020 16:05:24 -0400

Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support

In check_cbt(), use a local variable to hold the retrieved authdata

list, and free it before returning.

ticket: 8900

(cherry picked from commit bf2ddff13c178e0c291f8fb382b040080d159e4f)

(cherry picked from commit 044e2209586fd1935d9a637df76d52f48c4f3e6e)

---

 src/lib/gssapi/krb5/accept_sec_context.c | 23 +++++++++++++----------

 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c

index 175a24c4e..3d5b84b15 100644

--- a/src/lib/gssapi/krb5/accept_sec_context.c

+++ b/src/lib/gssapi/krb5/accept_sec_context.c

@@ -433,27 +433,30 @@ static const uint8_t null_cb[CB_MD5_LEN];

 /* Look for AP_OPTIONS in authdata.  If present and the options include

  * KERB_AP_OPTIONS_CBT, set *cbt_out to true. */

 static krb5_error_code

-check_cbt(krb5_context context, krb5_authdata **authdata,

+check_cbt(krb5_context context, krb5_authdata *const *authdata,

           krb5_boolean *cbt_out)

 {

     krb5_error_code code;

+    krb5_authdata **ad;

     uint32_t ad_ap_options;

     const uint32_t KERB_AP_OPTIONS_CBT = 0x4000;

     *cbt_out = FALSE;

     code = krb5_find_authdata(context, NULL, authdata,

-                              KRB5_AUTHDATA_AP_OPTIONS, &authdata);

-    if (code || authdata == NULL)

+                              KRB5_AUTHDATA_AP_OPTIONS, &ad;;

+    if (code || ad == NULL)

         return code;

-    if (authdata[1] != NULL || authdata[0]->length != 4)

-        return KRB5KRB_AP_ERR_MSG_TYPE;

+    if (ad[1] != NULL || ad[0]->length != 4) {

+        code = KRB5KRB_AP_ERR_MSG_TYPE;

+    } else {

+        ad_ap_options = load_32_le(ad[0]->contents);

+        if (ad_ap_options & KERB_AP_OPTIONS_CBT)

+            *cbt_out = TRUE;

+    }

-    ad_ap_options = load_32_le(authdata[0]->contents);

-    if (ad_ap_options & KERB_AP_OPTIONS_CBT)

-        *cbt_out = TRUE;

-

-    return 0;

+    krb5_free_authdata(context, ad);

+    return code;

 }

 /*