On 07/13/2016 10:02 PM, Lukas Slebodnik wrote:
On (13/07/16 16:50), thierry bordaz wrote:
https://fedorahosted.org/freeipa/ticket/6030
>From 4efedc5e674db92f9f7c160429df543422ed8afb Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <[email protected]>
Date: Wed, 13 Jul 2016 15:34:20 +0200
Subject: [PATCH] Ticket 6030 Bug in the ipapwd plugin
ipapwd_encrypt_encode_key allocates 'kset' on the heap but
with num_keys and keys not being initialized.
Then ipa_krb5_generate_key_data initializes them with the
generated keys.
If ipa_krb5_generate_key_data fails (here EINVAL meaning no
principal->realm.data), num_keys and keys are left uninitialized.
Upon failure, ipapwd_keyset_free is called to free 'kset'
that contains random num_keys and keys.
allocates kset with calloc so that kset->num_keys==0 and
kset->keys==NULL
https://fedorahosted.org/freeipa/ticket/6030
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index 5ca155d..46bf79a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -148,7 +148,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct
ipapwd_krbcfg *krbcfg,
pwd.length = strlen(data->password);
}
- kset = malloc(sizeof(struct ipapwd_keyset));
+ kset = calloc(sizeof(struct ipapwd_keyset));
I though that calloc need two arguments
man malloc says:
void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size);
LS
Oppss, sorry for this dummy patch. Here is the right one
thanks
thierry
>From 84efaaab758a07fa8cee2f6ad44ba770b67b4bbc Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <[email protected]>
Date: Mon, 18 Jul 2016 15:00:02 +0200
Subject: [PATCH] Heap corruption in ipapwd plugin
ipapwd_encrypt_encode_key allocates 'kset' on the heap but
with num_keys and keys not being initialized.
Then ipa_krb5_generate_key_data initializes them with the
generated keys.
If ipa_krb5_generate_key_data fails (here EINVAL meaning no
principal->realm.data), num_keys and keys are left uninitialized.
Upon failure, ipapwd_keyset_free is called to free 'kset'
that contains random num_keys and keys.
allocates kset with calloc so that kset->num_keys==0 and
kset->keys==NULL
https://fedorahosted.org/freeipa/ticket/6030
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index 9c62f05..7b2f341 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -157,7 +157,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
pwd.length = strlen(data->password);
}
- kset = malloc(sizeof(struct ipapwd_keyset));
+ kset = (struct ipapwd_keyset *) calloc(1, sizeof(struct ipapwd_keyset));
if (!kset) {
LOG_OOM();
goto enc_error;
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
