From: ChenChen Zhou <357726167@qq.com>
Date: Sun, 27 Nov 2022 14:57:14 +0000 (+0800)
Subject: Fix gic_keytab crash on memory exhaustion
X-Git-Tag: krb5-1.21-beta1~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6bc90214830cb5239aa397c20763902f10f11786;p=thirdparty%2Fkrb5.git

Fix gic_keytab crash on memory exhaustion

get_as_key_keytab() does not check the result of krb5_copy_keyblock(),
and dereferences a null pointer if it fails.  Remove the call and
steal the memory from kt_ent instead.

[ghudson@mit.edu: rewrote commit message; fixed comments]

ticket: 9080 (new)
---

diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index b8b7c15069..f9baabbf90 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -45,7 +45,6 @@ get_as_key_keytab(krb5_context context,
     krb5_keytab keytab = (krb5_keytab) gak_data;
     krb5_error_code ret;
     krb5_keytab_entry kt_ent;
-    krb5_keyblock *kt_key;
 
     /* We don't need the password from the responder to create the AS key. */
     if (as_key == NULL)
@@ -71,16 +70,13 @@ get_as_key_keytab(krb5_context context,
                                  etype, &kt_ent)))
         return(ret);
 
-    ret = krb5_copy_keyblock(context, &kt_ent.key, &kt_key);
-
-    /* again, krb5's memory management is lame... */
-
-    *as_key = *kt_key;
-    free(kt_key);
+    /* Steal the keyblock from kt_ent for the caller. */
+    *as_key = kt_ent.key;
+    memset(&kt_ent.key, 0, sizeof(kt_ent.key));
 
     (void) krb5_kt_free_entry(context, &kt_ent);
 
-    return(ret);
+    return 0;
 }
 
 /* Return the list of etypes available for client in keytab. */