Patch 8/9: KerbSubmitTicket() should check malloc() return for NULL

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Patch 8/9: KerbSubmitTicket() should check malloc() return for NULL

Alexandr Nedvedicky
Hello,

I'm upgrading kerberos bundled with Solaris to krb5-1.16. Solaris currently
ships krb5-1.15.1. I've noticed there are some memory leaks, while running test
suite, which comes with krb-1.16 (e.g. running 'make check').  I don't think
those memory leaks are critical, though as kerberos newbie I can't be sure, so
I think I'm better to share my findings. All memory leaks were found using
'libumem', which can be found on Solaris (or its OSS sibbling illumos).
All patches are against krb5-1.16 release.

I have not seen such NULL-pointer dereference panic. I've just spot
this while I was browsing through code. Same goes to potential
memory leak on 'keyblock->contents == NULL'.

regards
sasha

--------8<---------------8<---------------8<------------------8<--------
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index c741a5099..c26975c65 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -765,9 +765,16 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG  PackageId,
      * that an enctype other than NULL be used. */
     if (keyblock == NULL) {
         keyblock = (krb5_keyblock *)malloc(sizeof(krb5_keyblock));
+ if (keyblock == NULL) {
+ return FALSE;
+ }
         keyblock->enctype = ENCTYPE_ARCFOUR_HMAC;
         keyblock->length = 16;
         keyblock->contents = (krb5_octet *)malloc(16);
+ if (keyblock->contents == NULL) {
+ free(keyblock);
+ return FALSE;
+ }
         keyblock->contents[0] = 0xde;
         keyblock->contents[1] = 0xad;
         keyblock->contents[2] = 0xbe;
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev