From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 16 Dec 2014 17:57:56 +0000 (-0500)
Subject: Fix bugs in previous cc_file.c changes
X-Git-Tag: krb5-1.14-alpha1~184
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14f039b40efd91b93b1148765bf0b7d3c90db58a;p=thirdparty%2Fkrb5.git

Fix bugs in previous cc_file.c changes

In fcc_destroy and krb5int_fcc_new_unique, call set_errmsg_filename
before deleting the cache handle, or else the reference to
data->filename is a use after free.

In set_errmsg_filename, do nothing if the code is 0, as we don't have
an error to annotate.

ticket: 8052
---

diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index de9c968dc1..6789c09e18 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -117,6 +117,8 @@ static krb5_error_code
 set_errmsg_filename(krb5_context context, krb5_error_code ret,
                     const char *fname)
 {
+    if (!ret)
+        return 0;
     k5_setmsg(context, ret, "%s (filename: %s)", error_message(ret), fname);
     return ret;
 }
@@ -644,12 +646,13 @@ fcc_destroy(krb5_context context, krb5_ccache id)
 #endif /* MSDOS_FILESYSTEM */
 
 cleanup:
+    (void)set_errmsg_filename(context, ret, data->filename);
     k5_cc_mutex_unlock(context, &data->lock);
     free_fccdata(context, data);
     free(id);
 
     krb5_change_cache();
-    return set_errmsg_filename(context, ret, data->filename);
+    return ret;
 }
 
 extern const krb5_cc_ops krb5_fcc_ops;
@@ -893,11 +896,12 @@ krb5int_fcc_new_unique(krb5_context context, char *template, krb5_ccache *id)
     return 0;
 
 err_out:
+    (void)set_errmsg_filename(context, ret, data->filename);
     k5_cc_mutex_unlock(context, &data->lock);
     k5_cc_mutex_destroy(&data->lock);
     free(data->filename);
     free(data);
-    return set_errmsg_filename(context, ret, data->filename);
+    return ret;
 }
 
 /*