heimdal: Properly ix bus fault when zero-length request received

Zero length client requests result in a bus fault when attempting to free malloc()ed pointers within the requests softc. Return an error when the request is zero length. This properly fixes PR/268062 without regressions. PR: 268062 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 3 days
2024-07-03 08:49:22 +00:00 · 2022-12-08 15:22:43 -08:00 · 2022-12-08 15:22:43 -08:00 · 3deefb0d14
commit 3deefb0d14
parent 5319949668
1 changed files with 2 additions and 0 deletions
--- a/crypto/heimdal/kadmin/server.c
+++ b/crypto/heimdal/kadmin/server.c
@ -473,6 +473,8 @@ v5_loop (krb5_context contextp,
 	ret = krb5_read_priv_message(contextp, ac, &fd, &in);
 	if(ret == HEIM_ERR_EOF)
 	    exit(0);
+	if (in.length == 0)
+	    ret = HEIM_ERR_OPNOTSUPP;
 	if(ret)
 	    krb5_err(contextp, 1, ret, "krb5_read_priv_message");
 	doing_useful_work = 1;