Fix pkinit_server_verify_padata() error handling

Avoid a null deference if pkinit_init_kdc_req_context() fails to
allocate reqctx.

[ghudson@mit.edu: fixed cleanup handler to work with reqctx == NULL
instead of avoiding the cleanup handler on allocation failure]

diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 7a0fa69ee258089a5b03e905ff8d7692e6285644..13214d24ec4e553568306c256132529b8336caae 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -605,7 +605,7 @@ pkinit_server_verify_padata(krb5_context context,
     reqctx = NULL;
 
 cleanup:
-    if (retval && data->pa_type == KRB5_PADATA_PK_AS_REQ) {
+    if (retval && reqctx != NULL && data->pa_type == KRB5_PADATA_PK_AS_REQ) {
         pkiDebug("pkinit_verify_padata failed: creating e-data\n");
         if (pkinit_create_edata(context, plgctx->cryptoctx, reqctx->cryptoctx,
                                 plgctx->idctx, plgctx->opts, retval, &e_data))