From: Marc Horowitz Date: Thu, 13 Aug 1998 03:20:57 +0000 (+0000) Subject: - make the tmsglen size check not a strict inequality, since the old X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2d9303d1eeab07f449ea15261cbeeaa74b50084;p=thirdparty%2Fkrb5.git - make the tmsglen size check not a strict inequality, since the old cksumtypes can return padded data. - plug a memory leak - reorder some stuff for clarity git-svn-id: svn://anonsvn.mit.edu/krb5/branches/marc-3des@10813 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 2bfd3d7611..d78e83c91a 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -328,6 +328,7 @@ kg2_unwrap_priv(context, minor_status, ctx, ptr, bodysize, output, qop_state) if (code = krb5_c_decrypt(context, ctx->subkey, KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV, 0, &cipher, &plain)) { + free(plain.data); *minor_status = code; return(GSS_S_FAILURE); } @@ -338,6 +339,7 @@ kg2_unwrap_priv(context, minor_status, ctx, ptr, bodysize, output, qop_state) bodysize = plain.length; if (bodysize < 7) { + free(plain.data); *minor_status = G_TOK_TRUNC; return(GSS_S_DEFECTIVE_TOKEN); } @@ -351,51 +353,62 @@ kg2_unwrap_priv(context, minor_status, ctx, ptr, bodysize, output, qop_state) ptr += 2; bodysize -= 7; - if (bodysize != tmsglen) { - *minor_status = G_TOK_TRUNC; - return(GSS_S_DEFECTIVE_TOKEN); + /* check context expiry */ + + if ((code = krb5_timeofday(context, &now))) { + free(plain.data); + *minor_status = code; + return(GSS_S_FAILURE); } - tmsg = ptr; + if (now > ctx->endtime) { + free(plain.data); + *minor_status = 0; + return(GSS_S_CONTEXT_EXPIRED); + } - /* check context expiry */ + /* do sequencing checks */ - if ((code = krb5_timeofday(context, &now))) { - *minor_status = code; - return(GSS_S_FAILURE); - } + if ((ctx->initiate && tdirection != 0xff) || + (!ctx->initiate && tdirection != 0)) { + free(plain.data); + *minor_status = G_BAD_DIRECTION; + return(GSS_S_BAD_SIG); + } - if (now > ctx->endtime) { - *minor_status = 0; - return(GSS_S_CONTEXT_EXPIRED); - } + if (retval = g_order_check(&(ctx->seqstate), tseqnum)) { + free(plain.data); + *minor_status = 0; + return(retval); + } - /* do sequencing checks */ + /* now copy out the data. can't do a strict equality check here, + since the output could be padded. */ - if ((ctx->initiate && tdirection != 0xff) || - (!ctx->initiate && tdirection != 0)) { - *minor_status = G_BAD_DIRECTION; - return(GSS_S_BAD_SIG); - } + if (bodysize < tmsglen) { + free(plain.data); + *minor_status = G_TOK_TRUNC; + return(GSS_S_DEFECTIVE_TOKEN); + } - if (retval = g_order_check(&(ctx->seqstate), tseqnum)) { - *minor_status = 0; - return(retval); - } + tmsg = ptr; - if ((output->value = (void *) malloc(tmsglen)) == NULL) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } + if ((output->value = (void *) malloc(tmsglen)) == NULL) { + free(plain.data); + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } - memcpy(output->value, tmsg, tmsglen); - output->length = tmsglen; + memcpy(output->value, tmsg, tmsglen); + output->length = tmsglen; - if (qop_state) - *qop_state = GSS_C_QOP_DEFAULT; + if (qop_state) + *qop_state = GSS_C_QOP_DEFAULT; - *minor_status = 0; - return(GSS_S_COMPLETE); + free(plain.data); + + *minor_status = 0; + return(GSS_S_COMPLETE); } /* message_buffer is an input if SIGN, output if SEAL, and ignored if DEL_CTX