From jhawk@MIT.EDU Mon Nov 12 23:06:04 2001 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id XAA04451 for ; Mon, 12 Nov 2001 23:06:04 -0500 (EST) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA00771 for ; Mon, 12 Nov 2001 23:06:03 -0500 (EST) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA19491 for ; Mon, 12 Nov 2001 23:06:03 -0500 (EST) Received: from PICKLED-HERRING.MIT.EDU (PICKLED-HERRING.MIT.EDU [18.187.1.250]) by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id XAA05498 for ; Mon, 12 Nov 2001 23:03:00 -0500 (EST) Received: (from jhawk@localhost) by PICKLED-HERRING.MIT.EDU (8.9.3) id XAA03787; Mon, 12 Nov 2001 23:03:00 -0500 Message-Id: <200111130403.XAA03787@PICKLED-HERRING.MIT.EDU> Date: Mon, 12 Nov 2001 23:03:00 -0500 From: jhawk@MIT.EDU Reply-To: jhawk@MIT.EDU To: krb5-bugs@MIT.EDU Subject: decrypt_credencdata() double-free()s on error. X-Send-Pr-Version: 3.99 >Number: 1014 >Category: krb5-libs >Synopsis: decrypt_credencdata() double-free()s on error. >Confidential: no >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Mon Nov 12 23:07:00 EST 2001 >Last-Modified: >Originator: John Hawkinson >Organization: MIT >Release: krb5-1.2 >Environment: System: Linux PICKLED-HERRING.MIT.EDU 2.4.9-6 #1 Thu Oct 18 09:39:55 EDT 2001 i686 unknown Architecture: i686 >Description: decrypt_credencdata() can double free() a pointer in the event of an error. Herein: 38 /* now decode the decrypted stuff */ 39 if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart))) 40 goto cleanup_encpart; however, decode_krb5_enc_cred_part() will free ppart in the event of an error return: 45 cleanup_encpart: 46 memset(ppart, 0, sizeof(*ppart)); 47 krb5_xfree(ppart); Unfortunately, decode_krb5_enc_cred_part() has already freed it: 601 krb5_error_code decode_krb5_enc_cred_part(code, rep) 602 const krb5_data * code; 603 krb5_cred_enc_part ** rep; ... 606 alloc_field(*rep,krb5_cred_enc_part); ... 624 error_out: 625 if (rep && *rep) { 626 free_field(*rep,r_address); 627 free_field(*rep,s_address); 628 free(*rep); (*rep is ppart here). >How-To-Repeat: Have a krb5 exchange where the server and the client have different ideas of what is encrypted and what is not, or perhaps a case where you try to forward tickets in the context of having failed authorization (i.e. failed kuserok), and end up having decode_krb5_enc_cred_part() fail with "ASN.1 identifier doesn't match expected value." >Fix: One of them shouldn't be free()-ing this. You figure out which. >Audit-Trail: >Unformatted: