From: Matt Rogers <mrogers@redhat.com>
Date: Wed, 22 Jun 2016 14:29:43 +0000 (-0400)
Subject: Filter CAMMAC authdata by module->ad_type
X-Git-Tag: krb5-1.15-beta1~164
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7df4aec92aebabaaf14de9de062f526228e65f48;p=thirdparty%2Fkrb5.git

Filter CAMMAC authdata by module->ad_type

Also, do not leak cammac_authdata.

[ghudson@mit.edu: also fix two sizeof() expressions]

ticket: 8425
---

diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index b5cb78866d..c56f7bc650 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -561,13 +561,13 @@ extract_cammacs(krb5_context kcontext, krb5_authdata **cammacs,
 
         /* Add the verified elements to list and free the container array. */
         for (n_elements = 0; elements[n_elements] != NULL; n_elements++);
-        new_list = realloc(list, (count + n_elements + 1) * sizeof(list));
+        new_list = realloc(list, (count + n_elements + 1) * sizeof(*list));
         if (new_list == NULL) {
             ret = ENOMEM;
             goto cleanup;
         }
         list = new_list;
-        memcpy(list + count, elements, n_elements * sizeof(list));
+        memcpy(list + count, elements, n_elements * sizeof(*list));
         count += n_elements;
         list[count] = NULL;
         free(elements);
@@ -657,7 +657,11 @@ krb5int_authdata_verify(krb5_context kcontext,
         }
 
         if (cammac_authdata != NULL && (module->flags & AD_CAMMAC_PROTECTED)) {
-            authdata = cammac_authdata;
+            code = krb5_find_authdata(kcontext, cammac_authdata, NULL,
+                                      module->ad_type, &authdata);
+            if (code)
+                break;
+
             kdc_issued_flag = TRUE;
         }
 
@@ -715,6 +719,7 @@ krb5int_authdata_verify(krb5_context kcontext,
 cleanup:
     krb5_free_principal(kcontext, kdc_issuer);
     krb5_free_authdata(kcontext, kdc_issued_authdata);
+    krb5_free_authdata(kcontext, cammac_authdata);
 
     return code;
 }