From jhawk@MIT.EDU Mon Nov 12 23:06:04 2001
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id XAA04451
for <bugs@RT-11.mit.edu>; Mon, 12 Nov 2001 23:06:04 -0500 (EST)
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA00771
for <bugs@RT-11.mit.edu>; Mon, 12 Nov 2001 23:06:03 -0500 (EST)
Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86])
by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA19491
for <krb5-bugs@mit.edu>; Mon, 12 Nov 2001 23:06:03 -0500 (EST)
Received: from PICKLED-HERRING.MIT.EDU (PICKLED-HERRING.MIT.EDU [18.187.1.250])
by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id XAA05498
for <krb5-bugs@mit.edu>; Mon, 12 Nov 2001 23:03:00 -0500 (EST)
Received: (from jhawk@localhost) by PICKLED-HERRING.MIT.EDU (8.9.3)
id XAA03787; Mon, 12 Nov 2001 23:03:00 -0500
Message-Id: <200111130403.XAA03787@PICKLED-HERRING.MIT.EDU>
Date: Mon, 12 Nov 2001 23:03:00 -0500
From: jhawk@MIT.EDU
Reply-To: jhawk@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: decrypt_credencdata() double-free()s on error.
X-Send-Pr-Version: 3.99
System: Linux PICKLED-HERRING.MIT.EDU 2.4.9-6 #1 Thu Oct 18 09:39:55 EDT 2001 i686 unknown
Architecture: i686
of an error. Herein:
38 /* now decode the decrypted stuff */
39 if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
40 goto cleanup_encpart;
however, decode_krb5_enc_cred_part() will free ppart in the event of
an error return:
45 cleanup_encpart:
46 memset(ppart, 0, sizeof(*ppart));
47 krb5_xfree(ppart);
Unfortunately, decode_krb5_enc_cred_part() has already freed it:
601 krb5_error_code decode_krb5_enc_cred_part(code, rep)
602 const krb5_data * code;
603 krb5_cred_enc_part ** rep;
...
606 alloc_field(*rep,krb5_cred_enc_part);
...
624 error_out:
625 if (rep && *rep) {
626 free_field(*rep,r_address);
627 free_field(*rep,s_address);
628 free(*rep);
(*rep is ppart here).
different ideas of what is encrypted and what is not, or
perhaps a case where you try to forward tickets in the context
of having failed authorization (i.e. failed kuserok), and
end up having decode_krb5_enc_cred_part() fail with
"ASN.1 identifier doesn't match expected value."
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id XAA04451
for <bugs@RT-11.mit.edu>; Mon, 12 Nov 2001 23:06:04 -0500 (EST)
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA00771
for <bugs@RT-11.mit.edu>; Mon, 12 Nov 2001 23:06:03 -0500 (EST)
Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86])
by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA19491
for <krb5-bugs@mit.edu>; Mon, 12 Nov 2001 23:06:03 -0500 (EST)
Received: from PICKLED-HERRING.MIT.EDU (PICKLED-HERRING.MIT.EDU [18.187.1.250])
by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id XAA05498
for <krb5-bugs@mit.edu>; Mon, 12 Nov 2001 23:03:00 -0500 (EST)
Received: (from jhawk@localhost) by PICKLED-HERRING.MIT.EDU (8.9.3)
id XAA03787; Mon, 12 Nov 2001 23:03:00 -0500
Message-Id: <200111130403.XAA03787@PICKLED-HERRING.MIT.EDU>
Date: Mon, 12 Nov 2001 23:03:00 -0500
From: jhawk@MIT.EDU
Reply-To: jhawk@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: decrypt_credencdata() double-free()s on error.
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 1014
>Category: krb5-libs
>Synopsis: decrypt_credencdata() double-free()s on error.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Nov 12 23:07:00 EST 2001
>Last-Modified:
>Originator: John Hawkinson
>Organization:
MIT>Category: krb5-libs
>Synopsis: decrypt_credencdata() double-free()s on error.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Nov 12 23:07:00 EST 2001
>Last-Modified:
>Originator: John Hawkinson
>Organization:
Show quoted text
>Release: krb5-1.2
>Environment:
>Environment:
System: Linux PICKLED-HERRING.MIT.EDU 2.4.9-6 #1 Thu Oct 18 09:39:55 EDT 2001 i686 unknown
Architecture: i686
Show quoted text
>Description:
decrypt_credencdata() can double free() a pointer in the eventof an error. Herein:
38 /* now decode the decrypted stuff */
39 if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
40 goto cleanup_encpart;
however, decode_krb5_enc_cred_part() will free ppart in the event of
an error return:
45 cleanup_encpart:
46 memset(ppart, 0, sizeof(*ppart));
47 krb5_xfree(ppart);
Unfortunately, decode_krb5_enc_cred_part() has already freed it:
601 krb5_error_code decode_krb5_enc_cred_part(code, rep)
602 const krb5_data * code;
603 krb5_cred_enc_part ** rep;
...
606 alloc_field(*rep,krb5_cred_enc_part);
...
624 error_out:
625 if (rep && *rep) {
626 free_field(*rep,r_address);
627 free_field(*rep,s_address);
628 free(*rep);
(*rep is ppart here).
Show quoted text
>How-To-Repeat:
Have a krb5 exchange where the server and the client havedifferent ideas of what is encrypted and what is not, or
perhaps a case where you try to forward tickets in the context
of having failed authorization (i.e. failed kuserok), and
end up having decode_krb5_enc_cred_part() fail with
"ASN.1 identifier doesn't match expected value."
Show quoted text
>Fix:
One of them shouldn't be free()-ing this. You figure out which.Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: