[28289] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix unlikely double free in PKINIT client code
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Mar 18 13:14:04 2014
Date: Tue, 18 Mar 2014 13:13:59 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201403181713.s2IHDx3s014803@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/cc002d6c1ccfc08356d01ba83e72a46855d0302c
commit cc002d6c1ccfc08356d01ba83e72a46855d0302c
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Mar 13 18:34:22 2014 -0400
Fix unlikely double free in PKINIT client code
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again. This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.
ticket: 7878 (new)
target_version: 1.12.2
tags: pullup
src/plugins/preauth/pkinit/pkinit_clnt.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index bfa25ae..cfef5b9 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -212,7 +212,6 @@ pa_pkinit_gen_req(krb5_context context,
cleanup:
if (der_req != NULL)
krb5_free_data(context, der_req);
- free(out_data);
if (retval) {
if (return_pa_data) {
@@ -222,9 +221,9 @@ cleanup:
}
if (out_data) {
free(out_data->data);
- free(out_data);
}
}
+ free(out_data);
return retval;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
