From: Greg Hudson Date: Mon, 9 May 2016 17:45:06 +0000 (-0400) Subject: Fix unlikely pointer error in get_in_tkt.c X-Git-Tag: krb5-1.15-beta1~183 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F450%2Fhead;p=thirdparty%2Fkrb5.git Fix unlikely pointer error in get_in_tkt.c In add_padata(), reset the caller's pointer and ensure the list is terminated as soon as realloc() succeeds; otherwise, the old pointer could be left behind if a later allocation fails. ticket: 8413 (new) target_version: 1.14-next target_version: 1.13-next tags: pullup --- diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 37f29ccffa..24cd97072d 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -344,10 +344,11 @@ add_padata(krb5_pa_data ***padptr, krb5_preauthtype pa_type, if (pad) for (size=0; pad[size]; size++); pad = realloc(pad, sizeof(*pad)*(size+2)); - if (pad == NULL) return ENOMEM; - pad[size+1] = NULL; + *padptr = pad; + pad[size] = pad[size + 1] = NULL; + pa = malloc(sizeof(krb5_pa_data)); if (pa == NULL) return ENOMEM; @@ -363,7 +364,6 @@ add_padata(krb5_pa_data ***padptr, krb5_preauthtype pa_type, } pa->pa_type = pa_type; pad[size] = pa; - *padptr = pad; return 0; }