[455] in Kerberos-V5-bugs
duplicate free()'s and use of memory after free in do_as_req.c
daemon@ATHENA.MIT.EDU (David Parter)
Thu Apr 7 13:46:35 1994
To: krb5-bugs@MIT.EDU
Date: Thu, 07 Apr 1994 12:46:25 -0500
From: David Parter <dparter@cs.wisc.edu>
Hi. I am new to this kerberos stuff.... I hope I am working with the latest soruces and reporting this to the correct place.
in the beta3 release, kdc/do_as_req.c
("$Id: do_as_req.c,v 5.35 1993/10/15 16:19:52 tytso Exp $")
has a bug in the function process_as_req().
At line 472, the cleanup() macro is defined:
#define cleanup() {krb5_db_free_principal(&client, 1); \
krb5_free_keyblock(session_key); \
memset(ticket_reply.enc_part.ciphertext.data, 0, \
ticket_reply.enc_part.ciphertext.length); \
free(ticket_reply.enc_part.ciphertext.data); \
free(cname); free(sname); \
if (client.salt_type == KRB5_KDB_SALTTYPE_NOREALM) \
krb5_xfree(padat_tmp[0]->contents);}
note that cleanup() free's cname and sname.
at line 517, cleanup is called.
in lines 524-534, cname and sname are used.
at lines 536 and 537, cname and sname are free'd again.
The malloc that I am using blows up when that happens.
Is it safe to move the cleanup from line 517 to where the two free's are,
and get rid of them?
thanks,
--david
--------
david parter dparter@cs.wisc.edu
university of wisconsin -- madison voice: 608-262-0608/262-2389
computer sciences department fax: 608-262-9777
postmaster, hostmaster, snakes/hpux, xunet/blanca, mentor, gopher,
ftp, software planning, training ...
