[29786] in CVS-changelog-for-Kerberos-V5
krb5 commit: Improve cleanup in krb5_rc_io_fetch()
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Dec 6 11:06:00 2016
Date: Tue, 6 Dec 2016 11:05:57 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201612061605.uB6G5v8l021078@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/8b3e207bfe7fca287885ec47116d17784fa7e726
commit 8b3e207bfe7fca287885ec47116d17784fa7e726
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Dec 2 11:10:52 2016 -0500
Improve cleanup in krb5_rc_io_fetch()
In the error cleanup for krb5_rc_io_fetch(), null out rep->msghash
after freeing it, like we do with rep->client and rep->server. This
omission is currently harmless because krb5_rc_io_fetch() never sets
rep->msghash before failing, but it could result in a double-free or
use after free if the code changes.
src/lib/krb5/rcache/rc_dfl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index c4d2c74..80c22ae 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -517,7 +517,7 @@ errout:
free(rep->server);
if (rep->msghash)
free(rep->msghash);
- rep->client = rep->server = 0;
+ rep->client = rep->server = rep->msghash = NULL;
return retval;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5