third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet...

The issue here is that only the size of the pointer, not the size
of the struture was allocated with calloc().

This means that the malloc() for the freshness token bytes would
have the memory address written beyond the end of the allocated memory.

Additionally, the allocation was not free()ed, resulting in a memory
leak.  This means that a user could trigger ongoing memory allocation
in the server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c
index 495dfa7a7e5911571e0b195b478722fd0a746aa5..88aa2887fb7f7ee915395ffd2c7be1122f84774c 100644 (file)
--- a/third_party/heimdal/kdc/pkinit.c
+++ b/third_party/heimdal/kdc/pkinit.c
@@ -180,6 +180,9 @@ _kdc_pk_free_client_param(krb5_context context, pk_client_params *cp)
        hx509_peer_info_free(cp->peer);
     if (cp->client_anchors)
        hx509_certs_free(&cp->client_anchors);
+    if (cp->freshness_token)
+       der_free_octet_string(cp->freshness_token);
+    free(cp->freshness_token);
     memset(cp, 0, sizeof(*cp));
     free(cp);
 }
@@ -776,7 +779,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
         * Copy the freshness token into the out parameters if it is present.
         */
        if (ap.pkAuthenticator.freshnessToken != NULL) {
-           cp->freshness_token = calloc(1, sizeof (cp->freshness_token));
+           cp->freshness_token = calloc(1, sizeof (*cp->freshness_token));
            if (cp->freshness_token == NULL) {
                ret = ENOMEM;
                free_AuthPack(&ap);