]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 62c9e50)
Fix unlikely null dereference in mk_cred()
authorNalin Dahyabhai <nalin@redhat.com>
Wed, 25 Jun 2014 16:56:42 +0000 (12:56 -0400)
committerTom Yu <tlyu@mit.edu>
Fri, 27 Jun 2014 18:40:43 +0000 (14:40 -0400)
If krb5_encrypt_keyhelper() returns an error, the ciphertext structure
may contain a non-zero length, but it will already have freed the
pointer to its data, making encrypt_credencpart()'s subsequent attempt
to clear and free the memory fail.  Remove that logic.

Based on a patch from Jatin Nansi.

(cherry picked from commit 476284de8dc9a52b5544445cb1b316a417ae88f0)

ticket: 7948
version_fixed: 1.12.2
status: resolved

src/lib/krb5/krb/mk_cred.c patch | blob | blame | history

diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c
index a31d85cac6f0368eaf9c1c1ead0706ad3ac7137f..7616c3a7a9adabdab07ca1fa967e961de66af7fb 100644 (file)
--- a/src/lib/krb5/krb/mk_cred.c
+++ b/src/lib/krb5/krb/mk_cred.c
@@ -49,13 +49,6 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart,
                                   KRB5_KEYUSAGE_KRB_CRED_ENCPART, scratch,
                                   pencdata);
 
-    if (retval) {
-        memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length);
-        free(pencdata->ciphertext.data);
-        pencdata->ciphertext.length = 0;
-        pencdata->ciphertext.data = 0;
-    }
-
     memset(scratch->data, 0, scratch->length);
     krb5_free_data(context, scratch);
 
Mirror of https://github.com/krb5/krb5.git