git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Sat, 27 Dec 2014 19:16:13 +0000 (14:16 -0500)
committer	Tom Yu <tlyu@mit.edu>
	Wed, 4 Feb 2015 22:21:30 +0000 (17:21 -0500)
commit	771228aafa71f472578931b798c9e159a79d196e
tree	f7688df66c60a83720a366e71793f44afbae6bed	tree
parent	e76dbd8d163e235d821011ed9ea3baa5376da854	commit \| diff

Fix kadm5/gssrpc XDR double free [CVE-2014-9421]

[MITKRB5-SA-2015-001] In auth_gssapi_unwrap_data(), do not free
partial deserialization results upon failure to deserialize. This
responsibility belongs to the callers, svctcp_getargs() and
svcudp_getargs(); doing it in the unwrap function results in freeing
the results twice.

In xdr_krb5_tl_data() and xdr_krb5_principal(), null out the pointers
we are freeing, as other XDR functions such as xdr_bytes() and
xdr_string().

(cherry picked from commit a197e92349a4aa2141b5dff12e9dd44c2a2166e3)

ticket: 8068 (new)
version_fixed: 1.12.3
status: resolved

src/lib/kadm5/kadm_rpc_xdr.c		diff \| blob \| blame \| history
src/lib/rpc/auth_gssapi_misc.c		diff \| blob \| blame \| history