CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding PA-ENC-TS-ENC

Upstream Heimdal fixed this in commit
7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of
ENC-CHALLANGE).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index ad026dd617bdb0fa7daf28315a9ff8a847dd021e..bda61e69df2a7b499656ca16d92293dceaaa2d78 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1391,7 +1391,6 @@ _kdc_as_rep(krb5_context context,
                        client_name);
                continue;
            }
-           free_PA_ENC_TS_ENC(&p);
            if (abs(kdc_time - p.patimestamp) > context->max_skew) {
                char client_time[100];
 
@@ -1413,8 +1412,10 @@ _kdc_as_rep(krb5_context context,
                 * there is a e_text, they become unhappy.
                 */
                e_text = NULL;
+               free_PA_ENC_TS_ENC(&p);
                goto out;
            }
+           free_PA_ENC_TS_ENC(&p);
            et.flags.pre_authent = 1;
 
            set_salt_padata(rep.padata, pa_key->salt);