[Freeipa-devel] [PATCH] 0023 Bug in the ipapwd plugin

thierry bordaz tbordaz at redhat.com
Tue Jul 19 08:17:27 UTC 2016 


On 07/13/2016 10:02 PM, Lukas Slebodnik wrote:
> On (13/07/16 16:50), thierry bordaz wrote:
>> https://fedorahosted.org/freeipa/ticket/6030
>> >From 4efedc5e674db92f9f7c160429df543422ed8afb Mon Sep 17 00:00:00 2001
>> From: Thierry Bordaz <tbordaz at redhat.com>
>> Date: Wed, 13 Jul 2016 15:34:20 +0200
>> Subject: [PATCH] Ticket 6030 Bug in the ipapwd plugin
>>
>> ipapwd_encrypt_encode_key allocates 'kset' on the heap but
>> with num_keys and keys not being initialized.
>> Then ipa_krb5_generate_key_data initializes them with the
>> generated keys.
>> If ipa_krb5_generate_key_data fails (here EINVAL meaning no
>> principal->realm.data), num_keys and keys are left uninitialized.
>> Upon failure, ipapwd_keyset_free is called to free 'kset'
>> that contains random num_keys and keys.
>>
>> allocates kset with calloc so that kset->num_keys==0 and
>> kset->keys==NULL
>>
>> https://fedorahosted.org/freeipa/ticket/6030
>> ---
>> daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
>> index 5ca155d..46bf79a 100644
>> --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
>> +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
>> @@ -148,7 +148,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
>>          pwd.length = strlen(data->password);
>>      }
>>
>> -    kset = malloc(sizeof(struct ipapwd_keyset));
>> +    kset = calloc(sizeof(struct ipapwd_keyset));
> I though that calloc need two arguments
>
> man malloc says:
>         void *malloc(size_t size);
>         void *calloc(size_t nmemb, size_t size);
>
> LS
Oppss,  sorry for this dummy patch. Here is the right one

thanks
thierry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-44-tbordaz-0023-2-Heap-corruption-in-ipapwd-plugin.patch
Type: text/x-patch
Size: 1446 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160719/711cc222/attachment.bin>

More information about the Freeipa-devel mailing list