The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=e13150e28c93d9e74f419dcd17d2e2bad41715ad
commit e13150e28c93d9e74f419dcd17d2e2bad41715ad Author: Cy Schubert <[email protected]> AuthorDate: 2022-11-25 23:29:14 +0000 Commit: Cy Schubert <[email protected]> CommitDate: 2022-11-27 02:41:51 +0000 heimdal: Fix uninitialized pointer dereference krb5_ret_preincipal() returns a non-zero return code when a garbage principal is passed to it. Unfortunately ret_principal_ent() does not check the return code, with garbage pointing to what would have been the principal. This results in a segfault when free() is called. PR: 267944, 267972 Reported by: Robert Morris <[email protected]> MFC after: 3 days --- crypto/heimdal/lib/kadm5/marshall.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c index fa7388b692fe..292cdf6107e8 100644 --- a/crypto/heimdal/lib/kadm5/marshall.c +++ b/crypto/heimdal/lib/kadm5/marshall.c @@ -187,9 +187,9 @@ ret_principal_ent(krb5_storage *sp, int i; int32_t tmp; - if (mask & KADM5_PRINCIPAL) - krb5_ret_principal(sp, &princ->principal); - + if (mask & KADM5_PRINCIPAL) + if (krb5_ret_principal(sp, &princ->principal)) + return EINVAL; if (mask & KADM5_PRINC_EXPIRE_TIME) { krb5_ret_int32(sp, &tmp); princ->princ_expire_time = tmp; @@ -208,9 +208,10 @@ ret_principal_ent(krb5_storage *sp, } if (mask & KADM5_MOD_NAME) { krb5_ret_int32(sp, &tmp); - if(tmp) - krb5_ret_principal(sp, &princ->mod_name); - else + if(tmp) { + if (krb5_ret_principal(sp, &princ->mod_name)) + return EINVAL; + } else princ->mod_name = NULL; } if (mask & KADM5_MOD_TIME) {
