From e8e4115e7ecf18fcf3c3f813f1e1255a04ecf48b Mon Sep 17 00:00:00 2001 From: sashan Date: Tue, 20 Feb 2018 23:05:13 +0100 Subject: [PATCH] Add malloc null checks to MSLSA ccache --- src/lib/krb5/ccache/cc_mslsa.c | 38 ++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c index c741a5099a..0300983609 100644 --- a/src/lib/krb5/ccache/cc_mslsa.c +++ b/src/lib/krb5/ccache/cc_mslsa.c @@ -385,6 +385,8 @@ CacheInfoEx2ToMITCred(KERB_TICKET_CACHE_INFO_EX2 *info, * not a NULL list of addresses. */ creds->addresses = (krb5_address **)malloc(sizeof(krb5_address *)); + if (creds->addresses == NULL) + return FALSE; memset(creds->addresses, 0, sizeof(krb5_address *)); return TRUE; @@ -739,13 +741,14 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, { NTSTATUS Status = 0; NTSTATUS SubStatus = 0; - KERB_SUBMIT_TKT_REQUEST * pSubmitRequest; + KERB_SUBMIT_TKT_REQUEST * pSubmitRequest = NULL; DWORD dwRequestLen; - krb5_auth_context auth_context; + krb5_auth_context auth_context = NULL; krb5_keyblock * keyblock = 0; krb5_replay_data replaydata; krb5_data * krb_cred = 0; krb5_error_code rc; + BOOL rv = FALSE; if (krb5_auth_con_init(context, &auth_context)) { return FALSE; @@ -765,9 +768,13 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, * that an enctype other than NULL be used. */ if (keyblock == NULL) { keyblock = (krb5_keyblock *)malloc(sizeof(krb5_keyblock)); + if (keyblock == NULL) + return FALSE; keyblock->enctype = ENCTYPE_ARCFOUR_HMAC; keyblock->length = 16; keyblock->contents = (krb5_octet *)malloc(16); + if (keyblock->contents == NULL) + goto cleanup; keyblock->contents[0] = 0xde; keyblock->contents[1] = 0xad; keyblock->contents[2] = 0xbe; @@ -787,18 +794,14 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, krb5_auth_con_setsendsubkey(context, auth_context, keyblock); } rc = krb5_mk_1cred(context, auth_context, cred, &krb_cred, &replaydata); - if (rc) { - krb5_auth_con_free(context, auth_context); - if (keyblock) - krb5_free_keyblock(context, keyblock); - if (krb_cred) - krb5_free_data(context, krb_cred); - return FALSE; - } + if (rc) + goto cleanup; dwRequestLen = sizeof(KERB_SUBMIT_TKT_REQUEST) + krb_cred->length + (keyblock ? keyblock->length : 0); pSubmitRequest = (PKERB_SUBMIT_TKT_REQUEST)malloc(dwRequestLen); + if (pSubmitRequest == NULL) + goto cleanup; memset(pSubmitRequest, 0, dwRequestLen); pSubmitRequest->MessageType = KerbSubmitTicketMessage; @@ -822,8 +825,6 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, if (keyblock) memcpy(((CHAR *)pSubmitRequest)+sizeof(KERB_SUBMIT_TKT_REQUEST)+krb_cred->length, keyblock->contents, keyblock->length); - krb5_free_data(context, krb_cred); - Status = LsaCallAuthenticationPackage( LogonHandle, PackageId, pSubmitRequest, @@ -832,15 +833,16 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, NULL, &SubStatus ); + + rv = (!FAILED(Status) && !FAILED(SubStatus)); + +cleanup: free(pSubmitRequest); - if (keyblock) - krb5_free_keyblock(context, keyblock); + krb5_free_keyblock(context, keyblock); + krb5_free_data(context, krb_cred); krb5_auth_con_free(context, auth_context); - if (FAILED(Status) || FAILED(SubStatus)) { - return FALSE; - } - return TRUE; + return rv; } /* -- 2.47.2