From 6cf54e3429e9e407238b294191931f62ddfa1aa9 Mon Sep 17 00:00:00 2001 From: bugbomb Date: Wed, 29 Jun 2005 18:11:18 -0700 Subject: 6261685 Security : buffer overflow, heap corruption in KDC --- usr/src/cmd/krb5/krb5kdc/do_as_req.c | 6 +++++- usr/src/cmd/krb5/krb5kdc/do_tgs_req.c | 6 +++++- usr/src/cmd/krb5/krb5kdc/network.c | 5 +++-- usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c | 6 ++++-- 4 files changed, 17 insertions(+), 6 deletions(-) (limited to 'usr/src') diff --git a/usr/src/cmd/krb5/krb5kdc/do_as_req.c b/usr/src/cmd/krb5/krb5kdc/do_as_req.c index f97a250914..576d3643d8 100644 --- a/usr/src/cmd/krb5/krb5kdc/do_as_req.c +++ b/usr/src/cmd/krb5/krb5kdc/do_as_req.c @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2005 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -553,6 +553,10 @@ krb5_data **response; retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); + if (retval) + free(scratch); + else *response = scratch; + return retval; } diff --git a/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c b/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c index e6058b41f6..ad531d1468 100644 --- a/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c +++ b/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c @@ -1,5 +1,5 @@ /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2005 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -740,7 +740,11 @@ krb5_data **response; retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); + if (retval) + free(scratch); + else *response = scratch; + return retval; } diff --git a/usr/src/cmd/krb5/krb5kdc/network.c b/usr/src/cmd/krb5/krb5kdc/network.c index 8a93019982..ffa738b800 100644 --- a/usr/src/cmd/krb5/krb5kdc/network.c +++ b/usr/src/cmd/krb5/krb5kdc/network.c @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2005 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -732,7 +732,8 @@ static void process_packet(struct connection *conn, const char *prog, krb5_data *response; char pktbuf[MAX_DGRAM_SIZE]; int port_fd = conn->fd; - + + response = NULL; saddr_len = sizeof(saddr); cc = recvfrom(port_fd, pktbuf, sizeof(pktbuf), 0, (struct sockaddr *)&saddr, &saddr_len); diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c index a0c8f59e17..ef6d425982 100644 --- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c +++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2005 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -98,7 +98,9 @@ krb5_unparse_name_ext(context, principal, name, size) totalsize++; totalsize++; /* This is for the separator */ } - + if (nelem == 0 ) + totalsize++; + /* * Allocate space for the ascii string; if space has been * provided, use it, realloc'ing it if necessary. -- cgit v1.2.3