Fix unlikely pointer error in get_in_tkt.c

In add_padata(), reset the caller's pointer and ensure the list is
terminated as soon as realloc() succeeds; otherwise, the old pointer
could be left behind if a later allocation fails.

ticket: 8413 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 37f29ccffa0f7b92ad78ac646bf9c397cd9356d5..24cd97072d67621dabcc35f60be8698026d928e4 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -344,10 +344,11 @@ add_padata(krb5_pa_data ***padptr, krb5_preauthtype pa_type,
     if (pad)
         for (size=0; pad[size]; size++);
     pad = realloc(pad, sizeof(*pad)*(size+2));
-
     if (pad == NULL)
         return ENOMEM;
-    pad[size+1] = NULL;
+    *padptr = pad;
+    pad[size] = pad[size + 1] = NULL;
+
     pa = malloc(sizeof(krb5_pa_data));
     if (pa == NULL)
         return ENOMEM;
@@ -363,7 +364,6 @@ add_padata(krb5_pa_data ***padptr, krb5_preauthtype pa_type,
     }
     pa->pa_type = pa_type;
     pad[size] = pa;
-    *padptr = pad;
     return 0;
 }