From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 13 Mar 2014 22:34:22 +0000 (-0400)
Subject: Fix unlikely double free in PKINIT client code
X-Git-Tag: krb5-1.13-alpha1~179
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc002d6c1ccfc08356d01ba83e72a46855d0302c;p=thirdparty%2Fkrb5.git

Fix unlikely double free in PKINIT client code

In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again.  This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.

ticket: 7878 (new)
target_version: 1.12.2
tags: pullup
---

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index bfa25ae611..cfef5b9dc0 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -212,7 +212,6 @@ pa_pkinit_gen_req(krb5_context context,
 cleanup:
     if (der_req != NULL)
         krb5_free_data(context, der_req);
-    free(out_data);
 
     if (retval) {
         if (return_pa_data) {
@@ -222,9 +221,9 @@ cleanup:
         }
         if (out_data) {
             free(out_data->data);
-            free(out_data);
         }
     }
+    free(out_data);
     return retval;
 }