From: Greg Hudson Date: Mon, 9 May 2016 17:45:06 +0000 (-0400) Subject: Fix unlikely pointer error in get_in_tkt.c X-Git-Tag: krb5-1.14.3-final~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ca76fe6dc46e58019ff8ec7f682f11c6eaa39132;p=thirdparty%2Fkrb5.git Fix unlikely pointer error in get_in_tkt.c In add_padata(), reset the caller's pointer and ensure the list is terminated as soon as realloc() succeeds; otherwise, the old pointer could be left behind if a later allocation fails. (cherry picked from commit 24452cd737951fa6e0f35e97c6a644a9db0aa82d) ticket: 8413 version_fixed: 1.14.3 --- diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index ba635fe3b5..b78e19ab06 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -342,10 +342,11 @@ request_enc_pa_rep(krb5_pa_data ***padptr) if (pad) for (size=0; pad[size]; size++); pad = realloc(pad, sizeof(*pad)*(size+2)); - if (pad == NULL) return ENOMEM; - pad[size+1] = NULL; + *padptr = pad; + pad[size] = pad[size + 1] = NULL; + pa = malloc(sizeof(krb5_pa_data)); if (pa == NULL) return ENOMEM; @@ -353,7 +354,6 @@ request_enc_pa_rep(krb5_pa_data ***padptr) pa->length = 0; pa->pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; pad[size] = pa; - *padptr = pad; return 0; }