[11780] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #6817] potential null dereference in gss mechglue

daemon@ATHENA.MIT.EDU (Arlene Berry" via RT)
Sun Nov 7 10:30:54 2010

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: ""Arlene Berry" via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6817@krbdev.mit.edu>
Message-ID: <rt-6817-33452.11.1528221710066@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6817'":;"'AdminCc of krbdev.mit.edu Ticket #6817'":;@MIT.EDU
Date: Sun,  7 Nov 2010 10:30:51 -0500 (EST)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

In src/lib/gssapi/mechglue/g_canon_name.c in gss_canonicalize_name in
the allocation_failure section out_union is dereferenced without first
checking whether it was allocated. 

--- src/lib/gssapi/mechglue/g_canon_name.c	(revision 52314)
+++ src/lib/gssapi/mechglue/g_canon_name.c	(revision 52315)
@@ -153,14 +153,17 @@
 allocation_failure:
 	/* do not delete the src name external name format */
 	if (output_name) {
-		if (out_union->external_name) {
-			if (out_union->external_name->value)
-				free(out_union->external_name->value);
-			free(out_union->external_name);
+		if (out_union)
+		{
+			if (out_union->external_name) {
+				if (out_union->external_name->value)
+
free(out_union->external_name->value);
+				free(out_union->external_name);
+			}
+			if (out_union->name_type)
+				(void) gss_release_oid(minor_status,
+					    &out_union->name_type);
 		}
-		if (out_union->name_type)
-			(void) gss_release_oid(minor_status,
-					    &out_union->name_type);
 
 		dest_union = out_union;
 	} else
@@ -171,16 +174,18 @@
 	 * applies for both src and dest which ever is being used for
output
 	 */
 
-	if (dest_union->mech_name) {
-		(void) gssint_release_internal_name(minor_status,
+	if (dest_union)
+	{
+		if (dest_union->mech_name) {
+			(void)
gssint_release_internal_name(minor_status,
 						dest_union->mech_type,
 						&dest_union->mech_name);
+		}
+
+		if (dest_union->mech_type)
+			(void) gss_release_oid(minor_status,
&dest_union->mech_type);
 	}
 
-	if (dest_union->mech_type)
-		(void) gss_release_oid(minor_status,
&dest_union->mech_type);
-
-
 	if (output_name)
 		free(out_union);



_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
home help back first fref pref prev next nref lref last post