]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cb3db58)
Fix unlikely double free in PKINIT client code
authorGreg Hudson <ghudson@mit.edu>
Thu, 13 Mar 2014 22:34:22 +0000 (18:34 -0400)
committerGreg Hudson <ghudson@mit.edu>
Tue, 18 Mar 2014 17:01:13 +0000 (13:01 -0400)
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again.  This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.

ticket: 7878 (new)
target_version: 1.12.2
tags: pullup

src/plugins/preauth/pkinit/pkinit_clnt.c patch | blob | blame | history

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index bfa25ae611bc43d31eae8e94ee22d95ba33133c5..cfef5b9dc0fb49c1b292bcceb09df9241c640ead 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -212,7 +212,6 @@ pa_pkinit_gen_req(krb5_context context,
 cleanup:
     if (der_req != NULL)
         krb5_free_data(context, der_req);
-    free(out_data);
 
     if (retval) {
         if (return_pa_data) {
@@ -222,9 +221,9 @@ cleanup:
         }
         if (out_data) {
             free(out_data->data);
-            free(out_data);
         }
     }
+    free(out_data);
     return retval;
 }
 
Mirror of https://github.com/krb5/krb5.git