Fix unlikely double free in PKINIT client code

In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again.  This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.

(cherry picked from commit cc002d6c1ccfc08356d01ba83e72a46855d0302c)

ticket: 8091 (new)
version_fixed: 1.11.6
status: resolved

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index f84012cfd9dd65fa2445a11b4b9507470d3b4a46..c4a58cd37c5a47e6eea9db314909c073f8120c3b 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -211,7 +211,6 @@ pa_pkinit_gen_req(krb5_context context,
 cleanup:
     if (der_req != NULL)
         krb5_free_data(context, der_req);
-    free(out_data);
 
     if (retval) {
         if (return_pa_data) {
@@ -221,9 +220,9 @@ cleanup:
         }
         if (out_data) {
             free(out_data->data);
-            free(out_data);
         }
     }
+    free(out_data);
     return retval;
 }