From: Ben Kaduk <kaduk@mit.edu>
Date: Thu, 3 Oct 2013 17:57:40 +0000 (-0400)
Subject: Zero out stack variables in process_tgs_req()
X-Git-Tag: krb5-1.12-alpha1~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=040f621b5071564b6b479e3375c9d63cbd3ee471;p=thirdparty%2Fkrb5.git

Zero out stack variables in process_tgs_req()

It is general good hygeine, preventing stack garbage from accidentally
leaking out into other consumers.

Don't bother with variables that are only used in a single place, but
do initialize the 'magic' field of nolrentry before it is used.
---

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index ae5e7572ea..107e2c264d 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -137,10 +137,10 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     krb5_pa_data **e_data = NULL;
     kdc_realm_t *kdc_active_realm = NULL;
 
-    reply.padata = 0; /* For cleanup handler */
-    reply_encpart.enc_padata = 0;
-    enc_tkt_reply.authorization_data = NULL;
-
+    memset(&reply, 0, sizeof(reply));
+    memset(&reply_encpart, 0, sizeof(reply_encpart));
+    memset(&ticket_reply, 0, sizeof(ticket_reply));
+    memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
     session_key.contents = NULL;
 
     retval = decode_krb5_tgs_req(pkt, &request);
@@ -701,6 +701,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 
     nolrentry.lr_type = KRB5_LRQ_NONE;
     nolrentry.value = 0;
+    nolrentry.magic = 0;
     nolrarray[0] = &nolrentry;
     nolrarray[1] = 0;
     reply_encpart.last_req = nolrarray;        /* not available for TGS reqs */