git: 53c5d72d287a - stable/13 - heimdal: Handle other types of garbage data

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Thu, 01 Dec 2022 14:25:28 UTC
The branch stable/13 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=53c5d72d287ae04a5adafe2a50f11a176c26ffe8

commit 53c5d72d287ae04a5adafe2a50f11a176c26ffe8
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-11-24 15:07:43 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-12-01 14:25:10 +0000

    heimdal: Handle other types of garbage data
    
    In addition to garbage realm data, also handle garbage dbname, acl_file,
    stash_file, and invalid bitmask garbage data.
    
    PR:             267912
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    
    (cherry picked from commit 91db848212e3b95cc689a1e8133a1d550b524919)
---
 crypto/heimdal/lib/kadm5/marshall.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c
index 38b9855021b2..fa7388b692fe 100644
--- a/crypto/heimdal/lib/kadm5/marshall.c
+++ b/crypto/heimdal/lib/kadm5/marshall.c
@@ -333,12 +333,38 @@ _kadm5_unmarshal_params(krb5_context context,
     ret = krb5_ret_int32(sp, &mask);
     if (ret)
 	goto out;
+    if (mask & KADM5_CONFIG_REALM & KADM5_CONFIG_DBNAME
+	& KADM5_CONFIG_ACL_FILE & KADM5_CONFIG_STASH_FILE) {
+	    ret = EINVAL;
+	    goto out;
+    }
     params->mask = mask;
 
     if (params->mask & KADM5_CONFIG_REALM) {
 	ret = krb5_ret_string(sp, &params->realm);
 	if (params->realm == NULL) {
 	    ret = EINVAL;
+	    goto out;
+	}
+    }
+    if (params->mask & KADM5_CONFIG_DBNAME) {
+	ret = krb5_ret_string(sp, &params->dbname);
+	if (params->dbname == NULL) {
+	    ret = EINVAL;
+	    goto out;
+	}
+    }
+    if (params->mask & KADM5_CONFIG_ACL_FILE) {
+	ret = krb5_ret_string(sp, &params->acl_file);
+	if (params->acl_file == NULL) {
+	    ret = EINVAL;
+	    goto out;
+	}
+    }
+    if (params->mask & KADM5_CONFIG_STASH_FILE) {
+	ret = krb5_ret_string(sp, &params->stash_file);
+	if (params->stash_file == NULL) {
+	    ret = EINVAL;
 	}
     }
  out: