windows-afskfw-bluescreen-20070418

The afskfw library contains an unprotected call to krb5_free_context
which can result in krb5_free_context being called with a NULL pointer.
MIT's Kerberos libraries do not check that the pointer is non-NULL and
will attempt to use it as a valid pointer which will in turn result
in an invalid memory access error.

This library is used by afslogon.dll which is loaded by winlogon.exe.

If the krb5 profile is invalid, the krb5_init_context call will fail
to allocate a krb5_context structure which can then result in
krb5_free_context being called with a NULL pointer.

An unhandled exception within winlogon.exe will cause a blue screen event
on Windows 2000, XP and 2003.

diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c
index d646899932ff683a5069c97b8d2434722f599bf4..40523c6ac017cf392b068dd4dc7f3214c769fb0f 100644 (file)
--- a/src/WINNT/afsd/afskfw.c
+++ b/src/WINNT/afsd/afskfw.c
@@ -1423,7 +1423,8 @@ KFW_AFS_destroy_tickets_for_cell(char * cell)
         }
         free(principals);
     }
-    pkrb5_free_context(ctx);
+    if (ctx)
+               pkrb5_free_context(ctx);
     return 0;
 }
 
@@ -1477,7 +1478,8 @@ KFW_AFS_destroy_tickets_for_principal(char * user)
         free(cells);
     }
 
-    pkrb5_free_context(ctx);
+    if (ctx)
+               pkrb5_free_context(ctx);
     return 0;
 }
 
@@ -1701,7 +1703,8 @@ KFW_AFS_renew_token_for_cell(char * cell)
         code = -1;      // we did not renew the tokens 
 
   cleanup:
-    pkrb5_free_context(ctx);
+    if (ctx) 
+               pkrb5_free_context(ctx);
     return (code ? FALSE : TRUE);
 
 }