[28729] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.11]: Fix unlikely double free in PKINIT client
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Feb 6 17:30:03 2015
Date: Fri, 6 Feb 2015 17:26:54 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201502062226.t16MQsIZ024897@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/32d98df8acbc7155b513142c8b6e5ce6b5fb78d8
commit 32d98df8acbc7155b513142c8b6e5ce6b5fb78d8
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Mar 13 18:34:22 2014 -0400
Fix unlikely double free in PKINIT client code
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again. This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.
(cherry picked from commit cc002d6c1ccfc08356d01ba83e72a46855d0302c)
ticket: 8091 (new)
version_fixed: 1.11.6
status: resolved
src/plugins/preauth/pkinit/pkinit_clnt.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index f84012c..c4a58cd 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -211,7 +211,6 @@ pa_pkinit_gen_req(krb5_context context,
cleanup:
if (der_req != NULL)
krb5_free_data(context, der_req);
- free(out_data);
if (retval) {
if (return_pa_data) {
@@ -221,9 +220,9 @@ cleanup:
}
if (out_data) {
free(out_data->data);
- free(out_data);
}
}
+ free(out_data);
return retval;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
