oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hpropd: Fix use-after-free? (WIP)

Browse Source
This commit is contained in:
Nicolas Williams
2023-01-02 20:52:24 -06:00
parent 12160382a0
commit 1a0e535871
1 changed files with 16 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
kdc/hpropd.c
View File

@@ -78,7 +78,7 @@ main(int argc, char **argv)
krb5_socket_t sock = rk_INVALID_SOCKET; krb5_socket_t sock = rk_INVALID_SOCKET;
HDB *db = NULL; HDB *db = NULL;
int optidx = 0; int optidx = 0;
char *tmp_db; char *tmp_db = NULL;
krb5_log_facility *fac; krb5_log_facility *fac;
int nprincs; int nprincs;
@@ -208,20 +208,15 @@ main(int argc, char **argv)
krb5_err(context, 1, ret, "krb5_kt_close"); krb5_err(context, 1, ret, "krb5_kt_close");
} }
if (!print_dump) { if (asprintf(&tmp_db, "%s~", database) < 0 || tmp_db == NULL)
int aret; krb5_errx(context, 1, "hdb_create: out of memory");
aret = asprintf(&tmp_db, "%s~", database); ret = hdb_create(context, &db, tmp_db);
if (aret == -1) if (ret)
krb5_errx(context, 1, "hdb_create: out of memory"); krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db);
ret = db->hdb_open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600);
ret = hdb_create(context, &db, tmp_db); if (ret)
if (ret) krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db);
krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db);
ret = db->hdb_open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600);
if (ret)
krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db);
}
nprincs = 0; nprincs = 0;
while (1){ while (1){
@@ -244,14 +239,6 @@ main(int argc, char **argv)
data.length = 0; data.length = 0;
krb5_write_priv_message(context, ac, &sock, &data); krb5_write_priv_message(context, ac, &sock, &data);
} }
if (!print_dump) {
ret = db->hdb_close(context, db);
if (ret)
krb5_err(context, 1, ret, "db_close");
ret = db->hdb_rename(context, db, database);
if (ret)
krb5_err(context, 1, ret, "db_rename");
}
break; break;
} }
memset(&entry, 0, sizeof(entry)); memset(&entry, 0, sizeof(entry));
@@ -284,6 +271,13 @@ main(int argc, char **argv)
if (!print_dump) if (!print_dump)
krb5_log(context, fac, 0, "Received %d principals", nprincs); krb5_log(context, fac, 0, "Received %d principals", nprincs);
ret = db->hdb_close(context, db);
if (ret)
krb5_err(context, 1, ret, "db_close");
ret = db->hdb_rename(context, db, database);
if (ret)
krb5_err(context, 1, ret, "db_rename");
if (inetd_flag == 0) if (inetd_flag == 0)
rk_closesocket(sock); rk_closesocket(sock);