6261685 Security : buffer overflow, heap corruption in KDC

4 files changed, 17 insertions, 6 deletions

diff --git a/usr/src/cmd/krb5/krb5kdc/do_as_req.c b/usr/src/cmd/krb5/krb5kdc/do_as_req.c
index f97a250914..576d3643d8 100644
--- a/usr/src/cmd/krb5/krb5kdc/do_as_req.c
+++ b/usr/src/cmd/krb5/krb5kdc/do_as_req.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -553,6 +553,10 @@ krb5_data **response;
 
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
+    if (retval)
+    free(scratch);
+    else 
     *response = scratch;
+    
     return retval;
 }
diff --git a/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c b/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c
index e6058b41f6..ad531d1468 100644
--- a/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c
+++ b/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -740,7 +740,11 @@ krb5_data **response;
 
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
+    if (retval)
+    free(scratch); 
+    else
     *response = scratch;
+    
     return retval;
 }
 
diff --git a/usr/src/cmd/krb5/krb5kdc/network.c b/usr/src/cmd/krb5/krb5kdc/network.c
index 8a93019982..ffa738b800 100644
--- a/usr/src/cmd/krb5/krb5kdc/network.c
+++ b/usr/src/cmd/krb5/krb5kdc/network.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -732,7 +732,8 @@ static void process_packet(struct connection *conn, const char *prog,
     krb5_data *response;
     char pktbuf[MAX_DGRAM_SIZE];
     int port_fd = conn->fd;
-
+    
+    response = NULL;
     saddr_len = sizeof(saddr);
     cc = recvfrom(port_fd, pktbuf, sizeof(pktbuf), 0,
 		  (struct sockaddr *)&saddr, &saddr_len);
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c
index a0c8f59e17..ef6d425982 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -98,7 +98,9 @@ krb5_unparse_name_ext(context, principal, name, size)
 				totalsize++;
 		totalsize++;	/* This is for the separator */
 	}
-
+	if (nelem == 0 )
+		totalsize++;
+	
 	/*
 	 * Allocate space for the ascii string; if space has been
 	 * provided, use it, realloc'ing it if necessary.