From 20f2501322d0fc35ca061eac323359401d994899 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Wed, 18 Apr 2007 16:58:22 +0000 Subject: [PATCH] STABLE14-windows-afskfw-bluescreen-20070418 The afskfw library contains an unprotected call to krb5_free_context which can result in krb5_free_context being called with a NULL pointer. MIT's Kerberos libraries do not check that the pointer is non-NULL and will attempt to use it as a valid pointer which will in turn result in an invalid memory access error. This library is used by afslogon.dll which is loaded by winlogon.exe. If the krb5 profile is invalid, the krb5_init_context call will fail to allocate a krb5_context structure which can then result in krb5_free_context being called with a NULL pointer. An unhandled exception within winlogon.exe will cause a blue screen event on Windows 2000, XP and 2003. (cherry picked from commit 85a23a70c783364e039f2a1b402ba718c1fc34a5) --- src/WINNT/afsd/afskfw.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c index 7123c45123..4a4a07e1c1 100644 --- a/src/WINNT/afsd/afskfw.c +++ b/src/WINNT/afsd/afskfw.c @@ -1422,7 +1422,8 @@ KFW_AFS_destroy_tickets_for_cell(char * cell) } free(principals); } - pkrb5_free_context(ctx); + if (ctx) + pkrb5_free_context(ctx); return 0; } @@ -1476,7 +1477,8 @@ KFW_AFS_destroy_tickets_for_principal(char * user) free(cells); } - pkrb5_free_context(ctx); + if (ctx) + pkrb5_free_context(ctx); return 0; } @@ -1700,7 +1702,8 @@ KFW_AFS_renew_token_for_cell(char * cell) code = -1; // we did not renew the tokens cleanup: - pkrb5_free_context(ctx); + if (ctx) + pkrb5_free_context(ctx); return (code ? FALSE : TRUE); }