From: Andreas Schneider Date: Fri, 11 Oct 2024 10:45:13 +0000 (+0200) Subject: Fix unlikely password change leak X-Git-Tag: krb5-1.22-beta1~65 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=038793c3083f44c4fb62626c12f80c80147029cf;p=thirdparty%2Fkrb5.git Fix unlikely password change leak In kpasswd_sendto_msg_callback(), if getsockname() does not reveal the local address, a copy of the first local address's contents is made and never freed. Instead of making an allocated copy of the address contents, make a shallow copy of the whole address. Delay freeing the address array until the end of the function so that alias pointer made by the shallow copy remains valid. [ghudson@mit.edu: further simplified code; rewrote commit message] --- diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c index c59232586e..bc132bc338 100644 --- a/src/lib/krb5/os/changepw.c +++ b/src/lib/krb5/os/changepw.c @@ -115,6 +115,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message) struct sendto_callback_context *ctx = data; GETSOCKNAME_ARG3_TYPE addrlen; krb5_data output; + krb5_address **addrs = NULL; memset (message, 0, sizeof(krb5_data)); @@ -143,20 +144,10 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message) local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; } else { - krb5_address **addrs; - code = krb5_os_localaddr(ctx->context, &addrs); if (code) goto cleanup; - - local_kaddr.magic = addrs[0]->magic; - local_kaddr.addrtype = addrs[0]->addrtype; - local_kaddr.length = addrs[0]->length; - local_kaddr.contents = k5memdup(addrs[0]->contents, addrs[0]->length, - &code); - krb5_free_addresses(ctx->context, addrs); - if (local_kaddr.contents == NULL) - goto cleanup; + local_kaddr = *addrs[0]; } @@ -193,6 +184,7 @@ kpasswd_sendto_msg_callback(SOCKET fd, void *data, krb5_data *message) message->data = output.data; cleanup: + krb5_free_addresses(ctx->context, addrs); return code; }