From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 7 Dec 2022 07:13:25 +0000 (+1300)
Subject: CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding PA-ENC-TS-ENC
X-Git-Tag: samba-4.15.13~98
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73c7c6ec9bc3a1993e766f119e9e29905ded5e28;p=thirdparty%2Fsamba.git

CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding PA-ENC-TS-ENC

Upstream Heimdal fixed this in commit
7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of
ENC-CHALLANGE).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index ad026dd617b..bda61e69df2 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1391,7 +1391,6 @@ _kdc_as_rep(krb5_context context,
 			client_name);
 		continue;
 	    }
-	    free_PA_ENC_TS_ENC(&p);
 	    if (abs(kdc_time - p.patimestamp) > context->max_skew) {
 		char client_time[100];
 
@@ -1413,8 +1412,10 @@ _kdc_as_rep(krb5_context context,
 		 * there is a e_text, they become unhappy.
 		 */
 		e_text = NULL;
+		free_PA_ENC_TS_ENC(&p);
 		goto out;
 	    }
+	    free_PA_ENC_TS_ENC(&p);
 	    et.flags.pre_authent = 1;
 
 	    set_salt_padata(rep.padata, pa_key->salt);