From 1113e746abd0c30b4522c75a99426185e6ab8772 Mon Sep 17 00:00:00 2001
From: Anastasia Belova <nabelova31@gmail.com>
Date: Mon, 2 Jun 2025 12:28:49 +0300
Subject: [PATCH] Fix pkinit_server_verify_padata() error handling

Avoid a null deference if pkinit_init_kdc_req_context() fails to
allocate reqctx.

[ghudson@mit.edu: fixed cleanup handler to work with reqctx == NULL
instead of avoiding the cleanup handler on allocation failure]
---
 src/plugins/preauth/pkinit/pkinit_srv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 7a0fa69ee2..13214d24ec 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -605,7 +605,7 @@ pkinit_server_verify_padata(krb5_context context,
     reqctx = NULL;
 
 cleanup:
-    if (retval && data->pa_type == KRB5_PADATA_PK_AS_REQ) {
+    if (retval && reqctx != NULL && data->pa_type == KRB5_PADATA_PK_AS_REQ) {
         pkiDebug("pkinit_verify_padata failed: creating e-data\n");
         if (pkinit_create_edata(context, plgctx->cryptoctx, reqctx->cryptoctx,
                                 plgctx->idctx, plgctx->opts, retval, &e_data))
-- 
2.47.2