From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 2 Dec 2016 16:10:52 +0000 (-0500)
Subject: Improve cleanup in krb5_rc_io_fetch()
X-Git-Tag: krb5-1.16-beta1~193
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b3e207bfe7fca287885ec47116d17784fa7e726;p=thirdparty%2Fkrb5.git

Improve cleanup in krb5_rc_io_fetch()

In the error cleanup for krb5_rc_io_fetch(), null out rep->msghash
after freeing it, like we do with rep->client and rep->server.  This
omission is currently harmless because krb5_rc_io_fetch() never sets
rep->msghash before failing, but it could result in a double-free or
use after free if the code changes.
---

diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index c4d2c744da..80c22ae2df 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -517,7 +517,7 @@ errout:
         free(rep->server);
     if (rep->msghash)
         free(rep->msghash);
-    rep->client = rep->server = 0;
+    rep->client = rep->server = rep->msghash = NULL;
     return retval;
 }