From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 3 Oct 2017 19:01:55 +0000 (-0400)
Subject: Fix double free in kdc hammer
X-Git-Tag: krb5-1.17-beta1~88
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c8b6039e67f63b5c657cb0563ae32ea7f00d083;p=thirdparty%2Fkrb5.git

Fix double free in kdc hammer

If kdc5_hammer.c:krb5_string_to_key() fails, we didn't NULL out key
before returning it, leading to potential double-free.
---

diff --git a/src/tests/hammer/kdc5_hammer.c b/src/tests/hammer/kdc5_hammer.c
index efb4271e58..086c21d1ce 100644
--- a/src/tests/hammer/kdc5_hammer.c
+++ b/src/tests/hammer/kdc5_hammer.c
@@ -283,6 +283,8 @@ get_server_key(context, server, enctype, key)
     krb5_data salt;
     krb5_data pwd;
 
+    *key = NULL;
+
     if ((retval = krb5_principal2salt(context, server, &salt)))
 	return retval;
 
@@ -294,8 +296,11 @@ get_server_key(context, server, enctype, key)
 
     if ((*key = (krb5_keyblock *)malloc(sizeof(krb5_keyblock)))) {
     	krb5_use_enctype(context, &eblock, enctype);
-    	if ((retval = krb5_string_to_key(context, &eblock, *key, &pwd, &salt)))
+	retval = krb5_string_to_key(context, &eblock, *key, &pwd, &salt);
+	if (retval) {
 	    free(*key);
+	    *key = NULL;
+	}
     } else
         retval = ENOMEM;