diff options
Diffstat (limited to 'staging/krb5/CVE-2011-0285.patch')
-rw-r--r-- | staging/krb5/CVE-2011-0285.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/staging/krb5/CVE-2011-0285.patch b/staging/krb5/CVE-2011-0285.patch new file mode 100644 index 000000000..61039113f --- /dev/null +++ b/staging/krb5/CVE-2011-0285.patch @@ -0,0 +1,39 @@ +diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c +index 1124445..0056885 100644 +--- a/src/kadmin/server/schpw.c ++++ b/src/kadmin/server/schpw.c +@@ -52,6 +52,7 @@ process_chpw_request(context, server_handle, realm, keytab, + + ret = 0; + rep->length = 0; ++ rep->data = NULL; + + auth_context = NULL; + changepw = NULL; +@@ -76,8 +77,13 @@ process_chpw_request(context, server_handle, realm, keytab, + plen = (*ptr++ & 0xff); + plen = (plen<<8) | (*ptr++ & 0xff); + +- if (plen != req->length) +- return(KRB5KRB_AP_ERR_MODIFIED); ++ if (plen != req->length) { ++ ret = KRB5KRB_AP_ERR_MODIFIED; ++ numresult = KRB5_KPASSWD_MALFORMED; ++ strlcpy(strresult, "Request length was inconsistent", ++ sizeof(strresult)); ++ goto chpwfail; ++ } + + /* verify version number */ + +@@ -531,6 +537,10 @@ cleanup: + if (local_kaddrs != NULL) + krb5_free_addresses(server_handle->context, local_kaddrs); + ++ if ((*response)->data == NULL) { ++ free(*response); ++ *response = NULL; ++ } + krb5_kt_close(server_handle->context, kt); + + return ret; |