From: Ilya Gladyshev <ilya.v.gladyshev@gmail.com>
Date: Wed, 30 Aug 2023 20:19:59 +0000 (+0100)
Subject: Fix krb5_cccol_have_content() bad pointer free
X-Git-Tag: krb5-1.22-beta1~137
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=635c8cca65b745476d07c1f5ff701445db25c10d;p=thirdparty%2Fkrb5.git

Fix krb5_cccol_have_content() bad pointer free

krb5_cccol_have_content() calls krb5_cc_get_principal() within a loop,
and frees the resulting principal on success or failure.  Set princ to
null before each call to ensure we don't free a dangling pointer.

[ghudson@mit.edu: rewrote commit message; moved assignment for greater
clarity]

ticket: 9103
tags: pullup
target_version: 1.21-next
target_version: 1.20-next
---

diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c
index 4bcb66b712..926873f2a2 100644
--- a/src/lib/krb5/ccache/cccursor.c
+++ b/src/lib/krb5/ccache/cccursor.c
@@ -249,6 +249,7 @@ krb5_cccol_have_content(krb5_context context)
         save_first_error(context, ret, &errsave);
         if (ret || cache == NULL)
             break;
+        princ = NULL;
         ret = krb5_cc_get_principal(context, cache, &princ);
         save_first_error(context, ret, &errsave);
         if (!ret)