Fix uninitialized pointer dereference in libkrad

Commit 871125fea8ce0370a972bf65f7d1de63f619b06c changed
krad_packet_decode_request() to use a local variable "req" to hold the
decoded packet until it is verified, instead of immediately storing
into the caller's *reqpkt.  The code to check for duplicate packets
erroneously continues to use *reqpkt, causing a read dereference of
whatever was in *reqpkt on entry to the function (typically null or an
uninitialized value).  Fix the code to use req instead of *reqpkt.

This bug does not affect the KDC (which only uses libkrad as a
client), but can crash external software using libkrad as a server if
it ever processes more than one packet at a time.

[ghudson@mit.edu: edited commit message]

ticket: 9193 (new)
tags: pullup
target_version: 1.22-next

diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
index d0a43431be4746a99420e85735cc3f92e3efdc3e..ae1f6df7dfff582eba9b187bfad88fca8de6747d 100644 (file)
--- a/src/lib/krad/packet.c
+++ b/src/lib/krad/packet.c
@@ -562,7 +562,7 @@ krad_packet_decode_request(krb5_context ctx, const char *secret,
 
     if (cb != NULL) {
         for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE)) {
-            if (pkt_id_get(*reqpkt) == pkt_id_get(tmp))
+            if (pkt_id_get(req) == pkt_id_get(tmp))
                 break;
         }