oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

pkinit: fix leak in client

Browse Source
This commit is contained in:
Nicolas Williams
2019-07-05 15:30:43 -05:00
parent 37b55e1fdb
commit 941dfd95a3
1 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
lib/krb5/pkinit.c
View File

@@ -1091,6 +1091,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
krb5_error_code ret; krb5_error_code ret;
struct krb5_pk_cert *host = NULL; struct krb5_pk_cert *host = NULL;
krb5_data content; krb5_data content;
heim_octet_string unwrapped;
heim_oid contentType = { 0, NULL }; heim_oid contentType = { 0, NULL };
int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT; int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT;
@@ -1122,9 +1123,8 @@ pk_rd_pa_reply_enckey(krb5_context context,
/* win2k uses ContentInfo */ /* win2k uses ContentInfo */
if (type == PKINIT_WIN2K) { if (type == PKINIT_WIN2K) {
heim_oid type2; heim_oid type2;
heim_octet_string out;
ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL); ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
if (ret) { if (ret) {
/* windows LH with interesting CMS packets */ /* windows LH with interesting CMS packets */
size_t ph = 1 + der_length_len(content.length); size_t ph = 1 + der_length_len(content.length);
@@ -1143,7 +1143,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
content.data = ptr; content.data = ptr;
content.length += ph; content.length += ph;
ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL); ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
if (ret) if (ret)
goto out; goto out;
} }
@@ -1152,13 +1152,13 @@ pk_rd_pa_reply_enckey(krb5_context context,
krb5_set_error_message(context, ret, krb5_set_error_message(context, ret,
N_("PKINIT: Invalid content type", "")); N_("PKINIT: Invalid content type", ""));
der_free_oid(&type2); der_free_oid(&type2);
der_free_octet_string(&out); der_free_octet_string(&unwrapped);
goto out; goto out;
} }
der_free_oid(&type2); der_free_oid(&type2);
krb5_data_free(&content); krb5_data_free(&content);
ret = krb5_data_copy(&content, out.data, out.length); ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
der_free_octet_string(&out); der_free_octet_string(&unwrapped);
if (ret) { if (ret) {
krb5_set_error_message(context, ret, krb5_set_error_message(context, ret,
N_("malloc: out of memory", "")); N_("malloc: out of memory", ""));
@@ -1171,10 +1171,13 @@ pk_rd_pa_reply_enckey(krb5_context context,
content.length, content.length,
ctx->id, ctx->id,
&contentType, &contentType,
&content, &unwrapped,
&host); &host);
if (ret) if (ret)
goto out; goto out;
krb5_data_free(&content);
ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
der_free_octet_string(&unwrapped);
/* make sure that it is the kdc's certificate */ /* make sure that it is the kdc's certificate */
ret = pk_verify_host(context, realm, hi, ctx, host); ret = pk_verify_host(context, realm, hi, ctx, host);
@@ -1887,7 +1890,7 @@ _krb5_pk_load_id(krb5_context context,
NULL, *chain_list); NULL, *chain_list);
if (ret) { if (ret) {
pk_copy_error(context, context->hx509ctx, ret, pk_copy_error(context, context->hx509ctx, ret,
"Failed to laod chain %s", "Failed to load chain %s",
*chain_list); *chain_list);
goto out; goto out;
} }