diff options
| author |   biorn <biorn@openbsd.org> | 2006-10-06 07:09:09 +0000 |
|---|---|---|
| committer | biorn <biorn@openbsd.org> | 2006-10-06 07:09:09 +0000 |
| commit | 71884c59ca34e4023f2b9e7b487aea7dd829a37b (patch) | |
| tree | f0f7a3869e93bb983bcaf0bf7ea6a7fb45f1d382 | |
| parent | fix an exploitable integer overflow found by Chris Evans of Google (diff) | |
| download | wireguard-openbsd-71884c59ca34e4023f2b9e7b487aea7dd829a37b.tar.xz wireguard-openbsd-71884c59ca34e4023f2b9e7b487aea7dd829a37b.zip | |
Coverity fixes backported from the heimdal cvs.
ok beck@, No problem deraadt@
| -rw-r--r-- | kerberosV/src/kadmin/random_password.c | 4 | ||||
| -rw-r--r-- | kerberosV/src/kdc/524.c | 28 | ||||
| -rw-r--r-- | kerberosV/src/kdc/hprop.c | 4 | ||||
| -rw-r--r-- | kerberosV/src/kdc/mit_dump.c | 1 | ||||
| -rw-r--r-- | kerberosV/src/kdc/string2key.c | 11 | ||||
| -rw-r--r-- | kerberosV/src/kpasswd/kpasswdd.c | 5 | ||||
| -rw-r--r-- | kerberosV/src/lib/asn1/hash.c | 15 | ||||
| -rw-r--r-- | kerberosV/src/lib/kadm5/init_c.c | 11 | ||||
| -rw-r--r-- | kerberosV/src/lib/kadm5/log.c | 150 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/addr_families.c | 9 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/build_auth.c | 9 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/crypto.c | 4 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/keytab_any.c | 31 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/keytab_file.c | 36 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/keytab_krb4.c | 7 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/log.c | 2 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/mk_req_ext.c | 17 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/principal.c | 3 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/rd_req.c | 4 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/store.c | 21 | ||||
| -rw-r--r-- | kerberosV/src/lib/krb5/transited.c | 4 |
21 files changed, 231 insertions, 145 deletions
diff --git a/kerberosV/src/kadmin/random_password.c b/kerberosV/src/kadmin/random_password.c index 9b8950306e4..3f9c6033d7d 100644 --- a/kerberosV/src/kadmin/random_password.c +++ b/kerberosV/src/kadmin/random_password.c @@ -134,8 +134,10 @@ generate_password(char **pw, int num_classes, ...) } va_end(ap); *pw = malloc(len + 1); - if(*pw == NULL) + if(*pw == NULL) { + free(classes); return; + } for(i = 0; i < len; i++) { int j; int x = RND(rbuf, sizeof(rbuf), &rleft) % (len - i); diff --git a/kerberosV/src/kdc/524.c b/kerberosV/src/kdc/524.c index 74b7d25f417..d62f932e37f 100644 --- a/kerberosV/src/kdc/524.c +++ b/kerberosV/src/kdc/524.c @@ -348,19 +348,21 @@ out: /* make reply */ memset(buf, 0, sizeof(buf)); sp = krb5_storage_from_mem(buf, sizeof(buf)); - krb5_store_int32(sp, ret); - if(ret == 0){ - krb5_store_int32(sp, kvno); - krb5_store_data(sp, ticket.cipher); - /* Aargh! This is coded as a KTEXT_ST. */ - krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR); - krb5_store_int32(sp, 0); /* mbz */ - free_EncryptedData(&ticket); - } - ret = krb5_storage_to_data(sp, reply); - reply->length = krb5_storage_seek(sp, 0, SEEK_CUR); - krb5_storage_free(sp); - + if (sp) { + krb5_store_int32(sp, ret); + if(ret == 0){ + krb5_store_int32(sp, kvno); + krb5_store_data(sp, ticket.cipher); + /* Aargh! This is coded as a KTEXT_ST. */ + krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR); + krb5_store_int32(sp, 0); /* mbz */ + free_EncryptedData(&ticket); + } + ret = krb5_storage_to_data(sp, reply); + reply->length = krb5_storage_seek(sp, 0, SEEK_CUR); + krb5_storage_free(sp); + } else + krb5_data_zero(reply); if(spn) free(spn); if(server) diff --git a/kerberosV/src/kdc/hprop.c b/kerberosV/src/kdc/hprop.c index bd48a5ae98b..1ddc85e116f 100644 --- a/kerberosV/src/kdc/hprop.c +++ b/kerberosV/src/kdc/hprop.c @@ -749,7 +749,7 @@ main(int argc, char **argv) HDB *db = NULL; int optind = 0; - int type = 0; + int type; if(getarg(args, num_args, argc, argv, &optind)) usage(1); @@ -788,8 +788,6 @@ main(int argc, char **argv) "only one of `--encrypt' and `--decrypt' is meaningful"); if(source_type != NULL) { - if(type != 0) - krb5_errx(context, 1, "more than one database type specified"); type = parse_source_type(source_type); if(type == 0) krb5_errx(context, 1, "unknown source type `%s'", source_type); diff --git a/kerberosV/src/kdc/mit_dump.c b/kerberosV/src/kdc/mit_dump.c index b16d88bf495..623333aeaf0 100644 --- a/kerberosV/src/kdc/mit_dump.c +++ b/kerberosV/src/kdc/mit_dump.c @@ -366,5 +366,6 @@ mit_prop_dump(void *arg, const char *file) q = nexttoken(&p); /* extra data */ v5_prop(pd->context, NULL, &ent, arg); } + fclose(f); return 0; } diff --git a/kerberosV/src/kdc/string2key.c b/kerberosV/src/kdc/string2key.c index 077b1525918..ecd0d8e9020 100644 --- a/kerberosV/src/kdc/string2key.c +++ b/kerberosV/src/kdc/string2key.c @@ -74,17 +74,24 @@ tokey(krb5_context context, krb5_salt salt, const char *label) { + krb5_error_code ret; int i; krb5_keyblock key; char *e; - krb5_string_to_key_salt(context, enctype, password, salt, &key); - krb5_enctype_to_string(context, enctype, &e); + + ret = krb5_string_to_key_salt(context, enctype, password, salt, &key); + if (ret) + krb5_err(context, 1, ret, "krb5_string_to_key_salt"); + ret = krb5_enctype_to_string(context, enctype, &e); + if (ret) + krb5_err(context, 1, ret, "krb5_enctype_to_string"); printf(label, e); printf(": "); for(i = 0; i < key.keyvalue.length; i++) printf("%02x", ((unsigned char*)key.keyvalue.data)[i]); printf("\n"); krb5_free_keyblock_contents(context, &key); + free(e); } int diff --git a/kerberosV/src/kpasswd/kpasswdd.c b/kerberosV/src/kpasswd/kpasswdd.c index 9b8c7c40925..deb28e7bcc1 100644 --- a/kerberosV/src/kpasswd/kpasswdd.c +++ b/kerberosV/src/kpasswd/kpasswdd.c @@ -687,6 +687,11 @@ doit (krb5_keytab keytab, int port) buf, ret); } } + + for (i = 0; i < n; ++i) + close(sockets[i]); + free(sockets); + krb5_free_addresses (context, &addrs); krb5_free_host_realm (context, realms); krb5_free_context (context); diff --git a/kerberosV/src/lib/asn1/hash.c b/kerberosV/src/lib/asn1/hash.c index fa76bbf95d7..9e29a7e9fcc 100644 --- a/kerberosV/src/lib/asn1/hash.c +++ b/kerberosV/src/lib/asn1/hash.c @@ -53,17 +53,16 @@ hashtabnew(int sz, assert(sz > 0); htab = (Hashtab *) malloc(sizeof(Hashtab) + (sz - 1) * sizeof(Hashentry *)); + if (htab == NULL) + return NULL; + for (i = 0; i < sz; ++i) htab->tab[i] = NULL; - if (htab == NULL) { - return NULL; - } else { - htab->cmp = cmp; - htab->hash = hash; - htab->sz = sz; - return htab; - } + htab->cmp = cmp; + htab->hash = hash; + htab->sz = sz; + return htab; } /* Intern search function */ diff --git a/kerberosV/src/lib/kadm5/init_c.c b/kerberosV/src/lib/kadm5/init_c.c index 1ff1e1d0d2c..8b519a1dcef 100644 --- a/kerberosV/src/lib/kadm5/init_c.c +++ b/kerberosV/src/lib/kadm5/init_c.c @@ -270,6 +270,8 @@ _kadm5_c_get_cred_cache(krb5_context context, name, "admin", NULL); if(ret != 0) { krb5_free_principal(context, default_client); + if (client) + krb5_free_principal(context, client); krb5_cc_close(context, id); return ret; } @@ -312,8 +314,13 @@ _kadm5_c_get_cred_cache(krb5_context context, id = NULL; } } - } else if(ccache != NULL) + } else if(ccache != NULL) { id = ccache; + ret = krb5_cc_get_principal(context, id, &client); + if(ret) + return ret; + } + if(id && (default_client == NULL || krb5_principal_compare(context, client, default_client))) { @@ -330,7 +337,7 @@ _kadm5_c_get_cred_cache(krb5_context context, return -1; } /* get creds via AS request */ - if(id) + if(id && (id != ccache)) krb5_cc_close(context, id); if (client != default_client) krb5_free_principal(context, default_client); diff --git a/kerberosV/src/lib/kadm5/log.c b/kerberosV/src/lib/kadm5/log.c index af7bbf38146..24a517e8946 100644 --- a/kerberosV/src/lib/kadm5/log.c +++ b/kerberosV/src/lib/kadm5/log.c @@ -296,33 +296,36 @@ kadm5_log_delete (kadm5_server_context *context, kadm5_log_context *log_context = &context->log_context; sp = krb5_storage_emem(); + if (sp == NULL) + return ENOMEM; ret = kadm5_log_preamble (context, sp, kadm_delete); - if (ret) { - krb5_storage_free(sp); - return ret; - } - krb5_store_int32 (sp, 0); + if (ret) + goto out; + ret = krb5_store_int32 (sp, 0); + if (ret) + goto out; off = krb5_storage_seek (sp, 0, SEEK_CUR); - krb5_store_principal (sp, princ); + ret = krb5_store_principal (sp, princ); + if (ret) + goto out; len = krb5_storage_seek (sp, 0, SEEK_CUR) - off; krb5_storage_seek(sp, -(len + 4), SEEK_CUR); - krb5_store_int32 (sp, len); + ret = krb5_store_int32 (sp, len); + if (ret) + goto out; krb5_storage_seek(sp, len, SEEK_CUR); - krb5_store_int32 (sp, len); - if (ret) { - krb5_storage_free (sp); - return ret; - } + ret = krb5_store_int32 (sp, len); + if (ret) + goto out; ret = kadm5_log_postamble (log_context, sp); - if (ret) { - krb5_storage_free (sp); - return ret; - } + if (ret) + goto out; ret = kadm5_log_flush (log_context, sp); - krb5_storage_free (sp); if (ret) - return ret; + goto out; ret = kadm5_log_end (context); +out: + krb5_storage_free (sp); return ret; } @@ -362,43 +365,53 @@ kadm5_log_rename (kadm5_server_context *context, krb5_data value; kadm5_log_context *log_context = &context->log_context; + krb5_data_zero(&value); + sp = krb5_storage_emem(); ret = hdb_entry2value (context->context, ent, &value); - if (ret) { - krb5_storage_free(sp); - return ret; - } + if (ret) + goto failed; + ret = kadm5_log_preamble (context, sp, kadm_rename); - if (ret) { - krb5_storage_free(sp); - krb5_data_free (&value); - return ret; - } - krb5_store_int32 (sp, 0); + if (ret) + goto failed; + + ret = krb5_store_int32 (sp, 0); + if (ret) + goto failed; off = krb5_storage_seek (sp, 0, SEEK_CUR); - krb5_store_principal (sp, source); + ret = krb5_store_principal (sp, source); + if (ret) + goto failed; + krb5_storage_write(sp, value.data, value.length); - krb5_data_free (&value); len = krb5_storage_seek (sp, 0, SEEK_CUR) - off; krb5_storage_seek(sp, -(len + 4), SEEK_CUR); - krb5_store_int32 (sp, len); + ret = krb5_store_int32 (sp, len); + if (ret) + goto failed; + krb5_storage_seek(sp, len, SEEK_CUR); - krb5_store_int32 (sp, len); - if (ret) { - krb5_storage_free (sp); - return ret; - } + ret = krb5_store_int32 (sp, len); + if (ret) + goto failed; + ret = kadm5_log_postamble (log_context, sp); - if (ret) { - krb5_storage_free (sp); - return ret; - } + if (ret) + goto failed; + ret = kadm5_log_flush (log_context, sp); - krb5_storage_free (sp); if (ret) - return ret; - ret = kadm5_log_end (context); + goto failed; + krb5_storage_free (sp); + krb5_data_free (&value); + + return kadm5_log_end (context); + +failed: + krb5_data_free(&value); + krb5_storage_free(sp); return ret; } @@ -464,38 +477,41 @@ kadm5_log_modify (kadm5_server_context *context, u_int32_t len; kadm5_log_context *log_context = &context->log_context; + krb5_data_zero(&value); + sp = krb5_storage_emem(); ret = hdb_entry2value (context->context, ent, &value); - if (ret) { - krb5_storage_free(sp); - return ret; - } + if (ret) + goto failed; + ret = kadm5_log_preamble (context, sp, kadm_modify); - if (ret) { - krb5_data_free (&value); - krb5_storage_free(sp); - return ret; - } + if (ret) + goto failed; + len = value.length + 4; - krb5_store_int32 (sp, len); - krb5_store_int32 (sp, mask); + ret = krb5_store_int32 (sp, len); + if (ret) + goto failed; + ret = krb5_store_int32 (sp, mask); + if (ret) + goto failed; krb5_storage_write (sp, value.data, value.length); - krb5_data_free (&value); - krb5_store_int32 (sp, len); - if (ret) { - krb5_storage_free (sp); - return ret; - } + + ret = krb5_store_int32 (sp, len); + if (ret) + goto failed; ret = kadm5_log_postamble (log_context, sp); - if (ret) { - krb5_storage_free (sp); - return ret; - } + if (ret) + goto failed; ret = kadm5_log_flush (log_context, sp); - krb5_storage_free (sp); if (ret) - return ret; - ret = kadm5_log_end (context); + goto failed; + krb5_data_free(&value); + krb5_storage_free (sp); + return kadm5_log_end (context); +failed: + krb5_data_free(&value); + krb5_storage_free(sp); return ret; } diff --git a/kerberosV/src/lib/krb5/addr_families.c b/kerberosV/src/lib/krb5/addr_families.c index 22ccc63af4f..8daeb6a911a 100644 --- a/kerberosV/src/lib/krb5/addr_families.c +++ b/kerberosV/src/lib/krb5/addr_families.c @@ -928,11 +928,18 @@ krb5_parse_address(krb5_context context, int error; int save_errno; + addresses->len = 0; + addresses->val = NULL; + for(i = 0; i < num_addrs; i++) { if(at[i].parse_addr) { krb5_address addr; if((*at[i].parse_addr)(context, string, &addr) == 0) { ALLOC_SEQ(addresses, 1); + if (addresses->val == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } addresses->val[0] = addr; return 0; } @@ -1045,6 +1052,8 @@ krb5_free_addresses(krb5_context context, for(i = 0; i < addresses->len; i++) krb5_free_address(context, &addresses->val[i]); free(addresses->val); + addresses->len = 0; + addresses->val = NULL; return 0; } diff --git a/kerberosV/src/lib/krb5/build_auth.c b/kerberosV/src/lib/krb5/build_auth.c index e545ae39702..a5571c01957 100644 --- a/kerberosV/src/lib/krb5/build_auth.c +++ b/kerberosV/src/lib/krb5/build_auth.c @@ -116,13 +116,12 @@ krb5_build_authenticator (krb5_context context, krb5_error_code ret; krb5_crypto crypto; - auth = malloc(sizeof(*auth)); + auth = calloc(1, sizeof(*auth)); if (auth == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - memset (auth, 0, sizeof(*auth)); auth->authenticator_vno = 5; copy_Realm(&cred->client->realm, &auth->crealm); copy_PrincipalName(&cred->client->name, &auth->cname); @@ -161,10 +160,8 @@ krb5_build_authenticator (krb5_context context, /* XXX - Copy more to auth_context? */ - if (auth_context) { - auth_context->authenticator->ctime = auth->ctime; - auth_context->authenticator->cusec = auth->cusec; - } + auth_context->authenticator->ctime = auth->ctime; + auth_context->authenticator->cusec = auth->cusec; ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, auth, &len, ret); if (ret) diff --git a/kerberosV/src/lib/krb5/crypto.c b/kerberosV/src/lib/krb5/crypto.c index ad584732827..dab6aa79956 100644 --- a/kerberosV/src/lib/krb5/crypto.c +++ b/kerberosV/src/lib/krb5/crypto.c @@ -4176,7 +4176,7 @@ krb5_string_to_key_derived(krb5_context context, struct encryption_type *et = _find_enctype(etype); krb5_error_code ret; struct key_data kd; - size_t keylen = et->keytype->bits / 8; + size_t keylen; u_char *tmp; if(et == NULL) { @@ -4184,6 +4184,8 @@ krb5_string_to_key_derived(krb5_context context, etype); return KRB5_PROG_ETYPE_NOSUPP; } + keylen = et->keytype->bits / 8; + ALLOC(kd.key, 1); if(kd.key == NULL) { krb5_set_error_string (context, "malloc: out of memory"); diff --git a/kerberosV/src/lib/krb5/keytab_any.c b/kerberosV/src/lib/krb5/keytab_any.c index f7512d5327f..f627ab6ca15 100644 --- a/kerberosV/src/lib/krb5/keytab_any.c +++ b/kerberosV/src/lib/krb5/keytab_any.c @@ -162,23 +162,22 @@ any_next_entry (krb5_context context, ret = krb5_kt_next_entry(context, ed->a->kt, entry, &ed->cursor); if (ret == 0) return 0; - else if (ret == KRB5_KT_END) { - ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor); - if (ret2) - return ret2; - while ((ed->a = ed->a->next) != NULL) { - ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor); - if (ret2 == 0) - break; - } - if (ed->a == NULL) { - krb5_clear_error_string (context); - return KRB5_KT_END; - } - } else + else if (ret != KRB5_KT_END) return ret; - } while (ret == KRB5_KT_END); - return ret; + + ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor); + if (ret2) + return ret2; + while ((ed->a = ed->a->next) != NULL) { + ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor); + if (ret2 == 0) + break; + } + if (ed->a == NULL) { + krb5_clear_error_string (context); + return KRB5_KT_END; + } + } while (1); } static krb5_error_code diff --git a/kerberosV/src/lib/krb5/keytab_file.c b/kerberosV/src/lib/krb5/keytab_file.c index baf153d76e3..b491523ea8b 100644 --- a/kerberosV/src/lib/krb5/keytab_file.c +++ b/kerberosV/src/lib/krb5/keytab_file.c @@ -164,7 +164,7 @@ krb5_kt_ret_principal(krb5_context context, int i; int ret; krb5_principal p; - int16_t tmp; + int16_t len; ALLOC(p, 1); if(p == NULL) { @@ -172,25 +172,34 @@ krb5_kt_ret_principal(krb5_context context, return ENOMEM; } - ret = krb5_ret_int16(sp, &tmp); - if(ret) - return ret; + ret = krb5_ret_int16(sp, &len); + if(ret) { + krb5_set_error_string(context, + "Failed decoding length of keytab principal"); + goto out; + } if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) - tmp--; - p->name.name_string.len = tmp; + len--; + if (len < 0) { + krb5_set_error_string(context, + "Keytab principal contains invalid length"); + ret = KRB5_KT_END; + goto out; + } ret = krb5_kt_ret_string(context, sp, &p->realm); if(ret) - return ret; - p->name.name_string.val = calloc(p->name.name_string.len, - sizeof(*p->name.name_string.val)); + goto out; + p->name.name_string.val = calloc(len, sizeof(*p->name.name_string.val)); if(p->name.name_string.val == NULL) { krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + ret = ENOMEM; + goto out; } + p->name.name_string.len = len; for(i = 0; i < p->name.name_string.len; i++){ ret = krb5_kt_ret_string(context, sp, p->name.name_string.val + i); if(ret) - return ret; + goto out; } if (krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) p->name.name_type = KRB5_NT_UNKNOWN; @@ -199,10 +208,13 @@ krb5_kt_ret_principal(krb5_context context, ret = krb5_ret_int32(sp, &tmp32); p->name.name_type = tmp32; if (ret) - return ret; + goto out; } *princ = p; return 0; +out: + krb5_free_principal(context, p); + return ret; } static krb5_error_code diff --git a/kerberosV/src/lib/krb5/keytab_krb4.c b/kerberosV/src/lib/krb5/keytab_krb4.c index 400695a3713..5efeb8826af 100644 --- a/kerberosV/src/lib/krb5/keytab_krb4.c +++ b/kerberosV/src/lib/krb5/keytab_krb4.c @@ -139,6 +139,11 @@ krb4_kt_start_seq_get_int (krb5_context context, return ret; } c->sp = krb5_storage_from_fd(c->fd); + if(c->sp == NULL) { + close(c->fd); + free(ed); + return ENOMEM; + } krb5_storage_set_eof_code(c->sp, KRB5_KT_END); return 0; } @@ -302,11 +307,11 @@ krb4_kt_add_entry (krb5_context context, } } sp = krb5_storage_from_fd(fd); - krb5_storage_set_eof_code(sp, KRB5_KT_END); if(sp == NULL) { close(fd); return ENOMEM; } + krb5_storage_set_eof_code(sp, KRB5_KT_END); ret = krb4_store_keytab_entry(context, entry, sp); krb5_storage_free(sp); if(close (fd) < 0) diff --git a/kerberosV/src/lib/krb5/log.c b/kerberosV/src/lib/krb5/log.c index 67f21e95933..2ab8af9bc2c 100644 --- a/kerberosV/src/lib/krb5/log.c +++ b/kerberosV/src/lib/krb5/log.c @@ -301,6 +301,7 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) ret = errno; krb5_set_error_string (context, "open(%s): %s", fn, strerror(ret)); + free(fn); return ret; } file = fdopen(i, "a"); @@ -309,6 +310,7 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) close(i); krb5_set_error_string (context, "fdopen(%s): %s", fn, strerror(ret)); + free(fn); return ret; } keep_open = 1; diff --git a/kerberosV/src/lib/krb5/mk_req_ext.c b/kerberosV/src/lib/krb5/mk_req_ext.c index f7c128f74ff..3ad4bbf0437 100644 --- a/kerberosV/src/lib/krb5/mk_req_ext.c +++ b/kerberosV/src/lib/krb5/mk_req_ext.c @@ -65,7 +65,7 @@ _krb5_mk_req_internal(krb5_context context, if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) { ret = krb5_auth_con_generatelocalsubkey(context, ac, &in_creds->session); if(ret) - return ret; + goto out; } #if 0 @@ -93,7 +93,9 @@ _krb5_mk_req_internal(krb5_context context, #endif krb5_free_keyblock(context, ac->keyblock); - krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock); + ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock); + if (ret) + goto out; /* it's unclear what type of checksum we can use. try the best one, except: * a) if it's configured differently for the current realm, or @@ -125,7 +127,7 @@ _krb5_mk_req_internal(krb5_context context, ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto); if (ret) - return ret; + goto out; ret = krb5_create_checksum(context, crypto, checksum_usage, @@ -133,13 +135,15 @@ _krb5_mk_req_internal(krb5_context context, in_data->data, in_data->length, &c); - - krb5_crypto_destroy(context, crypto); + krb5_crypto_destroy(context, crypto); } c_opt = &c; } else { c_opt = NULL; } + + if (ret) + goto out; ret = krb5_build_authenticator (context, ac, @@ -152,10 +156,11 @@ _krb5_mk_req_internal(krb5_context context, if (c_opt) free_Checksum (c_opt); if (ret) - return ret; + goto out; ret = krb5_build_ap_req (context, ac->keyblock->keytype, in_creds, ap_req_options, authenticator, outbuf); +out: if(auth_context == NULL) krb5_auth_con_free(context, ac); return ret; diff --git a/kerberosV/src/lib/krb5/principal.c b/kerberosV/src/lib/krb5/principal.c index 2be309fe2dd..e5e7cccb972 100644 --- a/kerberosV/src/lib/krb5/principal.c +++ b/kerberosV/src/lib/krb5/principal.c @@ -98,7 +98,7 @@ krb5_parse_name(krb5_context context, { krb5_error_code ret; heim_general_string *comp; - heim_general_string realm; + heim_general_string realm = NULL; int ncomp; const char *p; @@ -225,6 +225,7 @@ exit: free(comp[--n]); } free(comp); + free(realm); free(s); return ret; } diff --git a/kerberosV/src/lib/krb5/rd_req.c b/kerberosV/src/lib/krb5/rd_req.c index 1ff1ab920bb..b37d41314cc 100644 --- a/kerberosV/src/lib/krb5/rd_req.c +++ b/kerberosV/src/lib/krb5/rd_req.c @@ -271,8 +271,10 @@ krb5_verify_authenticator_checksum(krb5_context context, &authenticator); if(ret) return ret; - if(authenticator->cksum == NULL) + if(authenticator->cksum == NULL) { + krb5_free_authenticator(context, &authenticator); return -17; + } ret = krb5_auth_con_getkey(context, ac, &key); if(ret) { krb5_free_authenticator(context, &authenticator); diff --git a/kerberosV/src/lib/krb5/store.c b/kerberosV/src/lib/krb5/store.c index a690386cdcd..b9b2ad8f2dc 100644 --- a/kerberosV/src/lib/krb5/store.c +++ b/kerberosV/src/lib/krb5/store.c @@ -420,7 +420,7 @@ krb5_ret_principal(krb5_storage *sp, if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) type = KRB5_NT_UNKNOWN; - else if((ret = krb5_ret_int32(sp, &type))){ + else if((ret = krb5_ret_int32(sp, &type))){ free(p); return ret; } @@ -430,18 +430,31 @@ krb5_ret_principal(krb5_storage *sp, } if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) ncomp--; + if (ncomp < 0) { + free(p); + return EINVAL; + } p->name.name_type = type; p->name.name_string.len = ncomp; ret = krb5_ret_string(sp, &p->realm); - if(ret) return ret; + if(ret) { + free(p); + return ret; + } p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val)); - if(p->name.name_string.val == NULL){ + if(p->name.name_string.val == NULL && ncomp != 0){ free(p->realm); return ENOMEM; } for(i = 0; i < ncomp; i++){ ret = krb5_ret_string(sp, &p->name.name_string.val[i]); - if(ret) return ret; /* XXX */ + if(ret) { + while (i >= 0) + free(p->name.name_string.val[i--]); + free(p->realm); + free(p); + return ret; + } } *princ = p; return 0; diff --git a/kerberosV/src/lib/krb5/transited.c b/kerberosV/src/lib/krb5/transited.c index 4635a7d71d2..b617625b331 100644 --- a/kerberosV/src/lib/krb5/transited.c +++ b/kerberosV/src/lib/krb5/transited.c @@ -100,8 +100,10 @@ make_path(krb5_context context, struct tr_realm *r, p = from + strlen(from); while(1){ while(p >= from && *p != '/') p--; - if(p == from) + if(p == from) { + r->next = path; /* XXX */ return KRB5KDC_ERR_POLICY; + } if(strncmp(to, from, p - from) == 0) break; tmp = calloc(1, sizeof(*tmp)); |