1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-29 05:38:00 +00:00

security/heimdal: Fix uninitialized pointer dereference

krb5_ret_preincipal() returns a non-zero return code when
a garbage principal is passed to it. Unfortunately ret_principal_ent()
does not check the return code, with garbage pointing to what would
have been the principal. This results in a segfault when free() is
called.

PR:		267944, 267972
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFH:		2024Q1
This commit is contained in:
Cy Schubert 2022-11-26 08:27:08 -08:00
parent 64f7f98bb6
commit f8c4316342
2 changed files with 30 additions and 3 deletions

View File

@ -1,6 +1,6 @@
PORTNAME= heimdal
PORTVERSION= 7.8.0
PORTREVISION= 7
PORTREVISION= 8
CATEGORIES= security
MASTER_SITES= https://github.com/heimdal/heimdal/releases/download/${DISTNAME}/

View File

@ -1,6 +1,33 @@
--- lib/kadm5/marshall.c.orig 2022-09-15 16:54:19.000000000 -0700
+++ lib/kadm5/marshall.c 2022-11-24 08:47:40.099673000 -0800
@@ -407,10 +407,40 @@
+++ lib/kadm5/marshall.c 2022-11-26 08:20:41.302104000 -0800
@@ -261,9 +261,9 @@
int i;
int32_t tmp;
- if (mask & KADM5_PRINCIPAL)
- krb5_ret_principal(sp, &princ->principal);
-
+ if (mask & KADM5_PRINCIPAL)
+ if (krb5_ret_principal(sp, &princ->principal))
+ return EINVAL;
if (mask & KADM5_PRINC_EXPIRE_TIME) {
krb5_ret_int32(sp, &tmp);
princ->princ_expire_time = tmp;
@@ -282,9 +282,10 @@
}
if (mask & KADM5_MOD_NAME) {
krb5_ret_int32(sp, &tmp);
- if(tmp)
- krb5_ret_principal(sp, &princ->mod_name);
- else
+ if(tmp) {
+ if (krb5_ret_principal(sp, &princ->mod_name))
+ return EINVAL;
+ } else
princ->mod_name = NULL;
}
if (mask & KADM5_MOD_TIME) {
@@ -407,10 +408,40 @@
ret = krb5_ret_int32(sp, &mask);
if (ret)
goto out;