From 81b593f04bb0ddefb25b5867dd201ef4e3f22fd0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 10 Oct 2023 11:59:34 +1300 Subject: [PATCH] CVE-2023-5568 third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-202310092148 (commit 38aa80e35b6b1e16b081fa9c005c03b1e6994204)) The issue here is that only the size of the pointer, not the size of the struture was allocated with calloc(). This means that the malloc() for the freshness token bytes would have the memory address written beyond the end of the allocated memory. Additionally, the allocation was not free()ed, resulting in a memory leak. This means that a user could trigger ongoing memory allocation in the server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 3280893ae80507e36653a0c7da03c82b88ece30b) --- third_party/heimdal/kdc/pkinit.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c index 495dfa7a7e5..88aa2887fb7 100644 --- a/third_party/heimdal/kdc/pkinit.c +++ b/third_party/heimdal/kdc/pkinit.c @@ -180,6 +180,9 @@ _kdc_pk_free_client_param(krb5_context context, pk_client_params *cp) hx509_peer_info_free(cp->peer); if (cp->client_anchors) hx509_certs_free(&cp->client_anchors); + if (cp->freshness_token) + der_free_octet_string(cp->freshness_token); + free(cp->freshness_token); memset(cp, 0, sizeof(*cp)); free(cp); } @@ -776,7 +779,7 @@ _kdc_pk_rd_padata(astgs_request_t priv, * Copy the freshness token into the out parameters if it is present. */ if (ap.pkAuthenticator.freshnessToken != NULL) { - cp->freshness_token = calloc(1, sizeof (cp->freshness_token)); + cp->freshness_token = calloc(1, sizeof (*cp->freshness_token)); if (cp->freshness_token == NULL) { ret = ENOMEM; free_AuthPack(&ap); -- 2.39.1