Fix possible double-free during KDB creation

In krb5_dbe_def_encrypt_key_data(), when we free
key_data->key_data_contents[0], reset it to null so the caller doesn't
free it as well.

Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
manifests as a double-free during KDB creation if master key
encryption fails.

[ghudson@mit.edu: edited commit message]

(cherry picked from commit fddd419fc4112a118d8091e296cc2bfa8d8f777b)

ticket: 9086
version_fixed: 1.20.2

diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c
index dc612c810e2a928323ffefee319dd17e94400376..91debea5339620528674963d3249de03248f3a72 100644 (file)
--- a/src/lib/kdb/encrypt_key.c
+++ b/src/lib/kdb/encrypt_key.c
@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context             context,
     if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,
                                  &plain, &cipher))) {
         free(key_data->key_data_contents[0]);
+        key_data->key_data_contents[0] = NULL;
         return retval;
     }
 
@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context             context,
                 key_data->key_data_contents[1] = malloc(keysalt->data.length);
                 if (key_data->key_data_contents[1] == NULL) {
                     free(key_data->key_data_contents[0]);
+                    key_data->key_data_contents[0] = NULL;
                     return ENOMEM;
                 }
                 memcpy(key_data->key_data_contents[1], keysalt->data.data,