]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f14651a)
Fix unlikely password change leak
authorAndreas Schneider <asn@cryptomilk.org>
Fri, 11 Oct 2024 10:45:13 +0000 (12:45 +0200)
committerGreg Hudson <ghudson@mit.edu>
Fri, 18 Oct 2024 19:43:06 +0000 (15:43 -0400)
In kpasswd_sendto_msg_callback(), if getsockname() does not reveal the
local address, a copy of the first local address's contents is made
and never freed.  Instead of making an allocated copy of the address
contents, make a shallow copy of the whole address.  Delay freeing the
address array until the end of the function so that alias pointer made
by the shallow copy remains valid.

[ghudson@mit.edu: further simplified code; rewrote commit message]

src/lib/krb5/os/changepw.c patch | blob | blame | history

diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index c59232586e1df39a03e5070ec940aae62d1d2f36..bc132bc338179b300867e81b5b8fdf694ed2c434 100644 (file)
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -115,6 +115,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
     struct sendto_callback_context      *ctx = data;
     GETSOCKNAME_ARG3_TYPE               addrlen;
     krb5_data                           output;
+    krb5_address                        **addrs = NULL;
 
     memset (message, 0, sizeof(krb5_data));
 
@@ -143,20 +144,10 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
         local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
         local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
     } else {
-        krb5_address **addrs;
-
         code = krb5_os_localaddr(ctx->context, &addrs);
         if (code)
             goto cleanup;
-
-        local_kaddr.magic = addrs[0]->magic;
-        local_kaddr.addrtype = addrs[0]->addrtype;
-        local_kaddr.length = addrs[0]->length;
-        local_kaddr.contents = k5memdup(addrs[0]->contents, addrs[0]->length,
-                                        &code);
-        krb5_free_addresses(ctx->context, addrs);
-        if (local_kaddr.contents == NULL)
-            goto cleanup;
+        local_kaddr = *addrs[0];
     }
 
 
@@ -193,6 +184,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message)
     message->data = output.data;
 
 cleanup:
+    krb5_free_addresses(ctx->context, addrs);
     return code;
 }
 
Mirror of https://github.com/krb5/krb5.git