Fix kadm5/gssrpc XDR double free [CVE-2014-9421]

[MITKRB5-SA-2015-001] In auth_gssapi_unwrap_data(), do not free
partial deserialization results upon failure to deserialize.  This
responsibility belongs to the callers, svctcp_getargs() and
svcudp_getargs(); doing it in the unwrap function results in freeing
the results twice.

In xdr_krb5_tl_data() and xdr_krb5_principal(), null out the pointers
we are freeing, as other XDR functions such as xdr_bytes() and
xdr_string().

ticket: 8056 (new)
target_version: 1.13.1
tags: pullup

diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 42ac783ad10c4563b4b915055c9cb12205b46051..975f94c6c6ac70491c945f36d4d108ff2102616c 100644 (file)
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head)
               free(tl);
               tl = tl2;
          }
+         *tl_data_head = NULL;
          break;
 
      case XDR_ENCODE:
@@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp)
     case XDR_FREE:
        if(*objp != NULL)
            krb5_free_principal(context, *objp);
+       *objp = NULL;
        break;
     }
     return TRUE;

diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c
index 53bdb983c458245284a444832edb88d388bf7685..a05ea19eb7c45c8acf2d8d3b1a4e72e2938789e6 100644 (file)
--- a/src/lib/rpc/auth_gssapi_misc.c
+++ b/src/lib/rpc/auth_gssapi_misc.c
@@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data(
      if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) {
          PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n"));
          gss_release_buffer(minor, &out_buf);
-         xdr_free(xdr_func, xdr_ptr);
          XDR_DESTROY(&temp_xdrs);
          return FALSE;
      }