Fix krb5_cccol_have_content() bad pointer free

krb5_cccol_have_content() calls krb5_cc_get_principal() within a loop,
and frees the resulting principal on success or failure.  Set princ to
null before each call to ensure we don't free a dangling pointer.

[ghudson@mit.edu: rewrote commit message; moved assignment for greater
clarity]

ticket: 9103
tags: pullup
target_version: 1.21-next
target_version: 1.20-next

diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c
index 4bcb66b712c3b988cfe0b88b6948519d5e602035..926873f2a2e69b2fbe611909e6dd2ea41b4982f8 100644 (file)
--- a/src/lib/krb5/ccache/cccursor.c
+++ b/src/lib/krb5/ccache/cccursor.c
@@ -249,6 +249,7 @@ krb5_cccol_have_content(krb5_context context)
         save_first_error(context, ret, &errsave);
         if (ret || cache == NULL)
             break;
+        princ = NULL;
         ret = krb5_cc_get_principal(context, cache, &princ);
         save_first_error(context, ret, &errsave);
         if (!ret)