From: Tom Yu Date: Tue, 15 Mar 2011 23:50:09 +0000 (+0000) Subject: KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284] X-Git-Tag: krb5-1.8.4-final~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8bec619e06cea9b25b54770764f3ead23cc5a09;p=thirdparty%2Fkrb5.git KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284] pull up r24705 from trunk ------------------------------------------------------------------------ r24705 | tlyu | 2011-03-15 17:47:19 -0400 (Tue, 15 Mar 2011) | 8 lines ticket: 6881 subject: KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284] tags: pullup target_version: 1.9.1 Fix a double-free condition in the KDC that can occur during an AS-REQ when PKINIT is enabled. ticket: 6882 status: resolved version_fixed: 1.8.4 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24707 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 39242979aa..4eb752c5fe 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -784,6 +784,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, pad->contents = td[size]->data; pad->length = td[size]->length; pa[size] = pad; + td[size]->data = NULL; + td[size]->length = 0; } krb5_free_typed_data(kdc_context, td); }