From mhpower@MIT.EDU  Mon Dec 29 03:06:27 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id DAA02526 for <bugs@RT-11.MIT.EDU>; Mon, 29 Dec 1997 03:06:26 -0500
Received: from YAZ-PISTACHIO.MIT.EDU by MIT.EDU with SMTP
	id AB15829; Mon, 29 Dec 97 03:06:40 EST
Received: by yaz-pistachio.MIT.EDU (5.57/4.7) id AA26738; Mon, 29 Dec 97 03:06:24 -0500
Message-Id: <9712290806.AA26738@yaz-pistachio.MIT.EDU>
Date: Mon, 29 Dec 1997 03:06:23 EST
From: mhpower@MIT.EDU
Reply-To: mhpower@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: missing malloc return-value checks in lib/krb5
X-Send-Pr-Version: 3.99

>Number:         518
>Category:       krb5-libs
>Synopsis:       missing malloc return-value checks in lib/krb5
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    tlyu
>State:          closed
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Mon Dec 29 03:07:00 EST 1997
>Last-Modified:  Fri Jan 02 22:41:01 EST 1998
>Originator:     Matt Power
>Organization:
	MIT
>Release:        current
>Environment:
	any
System:	any
Machine:	any
>Description:
	In some portions of the code under lib/krb5, the return
	value of malloc is not checked. This can result in
	anomalous behavior if the return value is NULL.
>How-To-Repeat:
	Call the library functions in an environment in which
	there is little free virtual memory.
>Fix:
*** krb5-current/src/lib/krb5/asn.1/asn1buf.c.old	Sun Dec 28 03:04:45 1997
--- krb5-current/src/lib/krb5/asn.1/asn1buf.c	Mon Dec 29 02:13:06 1997
***************
*** 237,238 ****
--- 237,242 ----
    (*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char));
+   if ((*code)->data == NULL){
+     free(*code);
+     return ENOMEM;
+   }
    for(i=0; i < (*code)->length; i++)

*** krb5-current/src/lib/krb5/krb/chpw.c.old	Sun Dec 28 03:05:05 1997
--- krb5-current/src/lib/krb5/krb/chpw.c	Mon Dec 29 01:48:46 1997
***************
*** 33,34 ****
--- 33,36 ----
      packet->data = (char *) malloc(packet->length);
+     if (packet->data == NULL)
+ 	return(ENOMEM);        
      ptr = packet->data;
***************
*** 178,179 ****
--- 180,185 ----
  	result_data->data = (char *) malloc(result_data->length);
+ 	if (result_data->data == NULL) {
+ 	    ret = ENOMEM;
+ 	    goto cleanup;
+ 	}
  	memcpy(result_data->data, ptr, result_data->length);

*** krb5-current/src/lib/krb5/krb/preauth.c.old	Sun Dec 28 03:05:09 1997
--- krb5-current/src/lib/krb5/krb/preauth.c	Mon Dec 29 02:00:03 1997
***************
*** 480,481 ****
--- 480,484 ----
  			 prompt_len+ strlen(sep3) + 1);
+     if (p == NULL) {
+ 	return NULL;
+     }
      if (challenge_len) {
***************
*** 542,544 ****
--- 545,554 ----
        char *passcode = malloc(pcsize+1);
+       if (passcode == NULL) {
+ 	return ENOMEM;
+       }
        prompt = handle_sam_labels(sam_challenge);
+       if (prompt == NULL) {
+ 	free(passcode);
+ 	return ENOMEM;
+       }
        retval = krb5_read_password(context, prompt, 0, passcode, &pcsize);
***************
*** 554,555 ****
--- 564,568 ----
        prompt = handle_sam_labels(sam_challenge);
+       if (prompt == NULL) {
+ 	return ENOMEM;
+       }
        retval = sam_get_pass_from_user(context, etype_info, key_proc, 

*** krb5-current/src/lib/krb5/os/changepw.c.old	Sun Dec 28 03:05:13 1997
--- krb5-current/src/lib/krb5/os/changepw.c	Mon Dec 29 02:03:06 1997
***************
*** 127,130 ****
--- 127,132 ----
      
      addr_p = (struct sockaddr *) malloc(sizeof(struct sockaddr) * count);
+     if (addr_p == NULL)
+ 	return ENOMEM; 
  
      host = hostlist[0];
***************
*** 168,171 ****
--- 170,175 ----
  			realloc ((char *)addr_p,
  				 sizeof(struct sockaddr) * count);
+ 		    if (addr_p == NULL)
+ 			return ENOMEM;
  		}
  	    }

*** krb5-current/src/lib/krb5/os/locate_kdc.c.old	Sun Dec 28 03:05:15 1997
--- krb5-current/src/lib/krb5/os/locate_kdc.c	Mon Dec 29 02:03:34 1997
***************
*** 150,153 ****
--- 150,155 ----
  
      addr_p = (struct sockaddr *)malloc (sizeof (struct sockaddr) * count);
+     if (addr_p == NULL)
+ 	return ENOMEM; 
  
      for (i=0, out=0; hostlist[i]; i++) {
***************
*** 196,199 ****
--- 198,203 ----
  			realloc ((char *)addr_p,
  				 sizeof(struct sockaddr) * count);
+ 		    if (addr_p == NULL)
+ 			return ENOMEM; 
  		}
  		if (sec_udpport && !port) {
>Audit-Trail:

Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Fri Jan  2 22:37:20 1998
Responsible-Changed-Why:

State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Fri Jan  2 22:37:28 1998
State-Changed-Why:

Fixed
src/lib/krb5/asn.1/asn1buf.c 5.13
src/lib/krb5/krb/chpw.c 5.2
src/lib/krb5/krb/preauth.c 5.27
src/lib/krb5/os/changepw.c 5.2
src/lib/krb5/os/locate_kdc.c 5.31


From: Tom Yu <tlyu@MIT.EDU>
To: mhpower@MIT.EDU
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-libs/518: missing malloc return-value checks in lib/krb5
Date: Fri, 2 Jan 1998 22:39:48 -0500

 Thanks for the patch; it should get picked up by the next update.
 
 ---Tom
>Unformatted: