[28411] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.12]: Fix unlikely double free in PKINIT client
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Jun 26 17:41:02 2014
Date: Thu, 26 Jun 2014 17:40:54 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201406262140.s5QLesk5023661@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/68844329ad7d555e2c8dce9762b042f4b8f0ced1
commit 68844329ad7d555e2c8dce9762b042f4b8f0ced1
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Mar 13 18:34:22 2014 -0400
Fix unlikely double free in PKINIT client code
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again. This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.
(cherry picked from commit cc002d6c1ccfc08356d01ba83e72a46855d0302c)
ticket: 7878
version_fixed: 1.12.2
status: resolved
src/plugins/preauth/pkinit/pkinit_clnt.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index bfa25ae..cfef5b9 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -212,7 +212,6 @@ pa_pkinit_gen_req(krb5_context context,
cleanup:
if (der_req != NULL)
krb5_free_data(context, der_req);
- free(out_data);
if (retval) {
if (return_pa_data) {
@@ -222,9 +221,9 @@ cleanup:
}
if (out_data) {
free(out_data->data);
- free(out_data);
}
}
+ free(out_data);
return retval;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
