From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Wed, 18 Apr 2007 16:57:05 +0000 (+0000)
Subject: windows-afskfw-bluescreen-20070418
X-Git-Tag: BP-openafs-windows-kdfs-ifs~727
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=85a23a70c783364e039f2a1b402ba718c1fc34a5;p=packages%2Fo%2Fopenafs.git

windows-afskfw-bluescreen-20070418


The afskfw library contains an unprotected call to krb5_free_context
which can result in krb5_free_context being called with a NULL pointer.
MIT's Kerberos libraries do not check that the pointer is non-NULL and
will attempt to use it as a valid pointer which will in turn result
in an invalid memory access error.

This library is used by afslogon.dll which is loaded by winlogon.exe.

If the krb5 profile is invalid, the krb5_init_context call will fail
to allocate a krb5_context structure which can then result in
krb5_free_context being called with a NULL pointer.

An unhandled exception within winlogon.exe will cause a blue screen event
on Windows 2000, XP and 2003.
---

diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c
index d64689993..40523c6ac 100644
--- a/src/WINNT/afsd/afskfw.c
+++ b/src/WINNT/afsd/afskfw.c
@@ -1423,7 +1423,8 @@ KFW_AFS_destroy_tickets_for_cell(char * cell)
         }
         free(principals);
     }
-    pkrb5_free_context(ctx);
+    if (ctx)
+		pkrb5_free_context(ctx);
     return 0;
 }
 
@@ -1477,7 +1478,8 @@ KFW_AFS_destroy_tickets_for_principal(char * user)
         free(cells);
     }
 
-    pkrb5_free_context(ctx);
+    if (ctx)
+		pkrb5_free_context(ctx);
     return 0;
 }
 
@@ -1701,7 +1703,8 @@ KFW_AFS_renew_token_for_cell(char * cell)
         code = -1;      // we did not renew the tokens 
 
   cleanup:
-    pkrb5_free_context(ctx);
+    if (ctx) 
+		pkrb5_free_context(ctx);
     return (code ? FALSE : TRUE);
 
 }