IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Heap corruption in ipapwd plugin

Browse Source 
ipapwd_encrypt_encode_key allocates 'kset' on the heap but
with num_keys and keys not being initialized.
Then ipa_krb5_generate_key_data initializes them with the
generated keys.
If ipa_krb5_generate_key_data fails (here EINVAL meaning no
principal->realm.data), num_keys and keys are left uninitialized.
Upon failure, ipapwd_keyset_free is called to free 'kset'
that contains random num_keys and keys.

allocates kset with calloc so that kset->num_keys==0 and
kset->keys==NULL

https://fedorahosted.org/freeipa/ticket/6030

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
This commit is contained in:
Thierry Bordaz 2016-07-18 15:00:02 +02:00 committed by Martin Basti
parent 72b2c8a54d
commit b04f617803
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
View File

@ -157,7 +157,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
pwd.length = strlen(data->password);
}
kset = malloc(sizeof(struct ipapwd_keyset));
kset = (struct ipapwd_keyset *) calloc(1, sizeof(struct ipapwd_keyset));
if (!kset) {
LOG_OOM();
goto enc_error;