From 18b76b6236ee36c44ead644f7ef58e0365c6147e Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Wed, 18 May 2011 10:00:31 -0400 Subject: [PATCH] fcache: prevent null pointer dereference Validate krb5_ccache and krb5_cc_cursor inputs before use. Avoid null pointer dereference which can occur if an application fails to properly check return codes. Change-Id: I8023808936e60cc7b8e57a062106cfcdc51ee7d7 --- lib/krb5/fcache.c | 56 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 53 insertions(+), 3 deletions(-) diff --git a/lib/krb5/fcache.c b/lib/krb5/fcache.c index b3bbfaab0..fe3d5312f 100644 --- a/lib/krb5/fcache.c +++ b/lib/krb5/fcache.c @@ -62,6 +62,9 @@ static const char* KRB5_CALLCONV fcc_get_name(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return NULL; + return FILENAME(id); } @@ -383,8 +386,14 @@ fcc_open(krb5_context context, krb5_boolean exclusive = ((flags | O_WRONLY) == flags || (flags | O_RDWR) == flags); krb5_error_code ret; - const char *filename = FILENAME(id); + const char *filename; int fd; + + if (FCACHE(id) == NULL) + return EINVAL; + + filename = FILENAME(id); + fd = open(filename, flags, mode); if(fd < 0) { char buf[128]; @@ -412,9 +421,11 @@ fcc_initialize(krb5_context context, krb5_fcache *f = FCACHE(id); int ret = 0; int fd; - char *filename = f->filename; - unlink (filename); + if (f == NULL) + return EINVAL; + + unlink (f->filename); ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600); if(ret) @@ -464,6 +475,9 @@ static krb5_error_code KRB5_CALLCONV fcc_close(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return EINVAL; + free (FILENAME(id)); krb5_data_free(&id->data); return 0; @@ -473,6 +487,9 @@ static krb5_error_code KRB5_CALLCONV fcc_destroy(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return EINVAL; + _krb5_erase_file(context, FILENAME(id)); return 0; } @@ -701,6 +718,9 @@ fcc_get_first (krb5_context context, krb5_error_code ret; krb5_principal principal; + if (FCACHE(id) == NULL) + return EINVAL; + *cursor = malloc(sizeof(struct fcc_cursor)); if (*cursor == NULL) { krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); @@ -733,6 +753,13 @@ fcc_get_next (krb5_context context, krb5_creds *creds) { krb5_error_code ret; + + if (FCACHE(id) == NULL) + return EINVAL; + + if (FCC_CURSOR(*cursor) == NULL) + return EINVAL; + if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0) return ret; @@ -749,6 +776,13 @@ fcc_end_get (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { + + if (FCACHE(id) == NULL) + return EINVAL; + + if (FCC_CURSOR(*cursor) == NULL) + return EINVAL; + krb5_storage_free(FCC_CURSOR(*cursor)->sp); close (FCC_CURSOR(*cursor)->fd); free(*cursor); @@ -767,6 +801,9 @@ fcc_remove_cred(krb5_context context, char *newname = NULL; int fd; + if (FCACHE(id) == NULL) + return EINVAL; + ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, ©); if (ret) return ret; @@ -827,6 +864,9 @@ fcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) { + if (FCACHE(id) == NULL) + return EINVAL; + return 0; /* XXX */ } @@ -834,6 +874,9 @@ static int KRB5_CALLCONV fcc_get_version(krb5_context context, krb5_ccache id) { + if (FCACHE(id) == NULL) + return -1; + return FCACHE(id)->version; } @@ -864,6 +907,9 @@ fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) const char *fn; char *expandedfn = NULL; + if (iter == NULL) + return EINVAL; + if (!iter->first) { krb5_clear_error_message(context); return KRB5_CC_END; @@ -900,6 +946,10 @@ static krb5_error_code KRB5_CALLCONV fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) { struct fcache_iter *iter = cursor; + + if (iter == NULL) + return EINVAL; + free(iter); return 0; }