Fix possible null pointer deref, possible uninit ptr use, possible

leak in unlikely small-allocation failure case.

ticket: new
target_version: 1.6.4

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20477 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 13 insertions, 6 deletions

diff --git a/src/lib/rpc/auth_gssapi.c b/src/lib/rpc/auth_gssapi.c
index bd185bc..fa8ce4b 100644
--- a/src/lib/rpc/auth_gssapi.c
+++ b/src/lib/rpc/auth_gssapi.c
@@ -165,6 +165,11 @@ AUTH *auth_gssapi_create(
      auth = (AUTH *) malloc(sizeof(*auth));
      pdata = (struct auth_gssapi_data *) malloc(sizeof(*pdata));
      if (auth == NULL || pdata == NULL) {
+	  /* They needn't both have failed; clean up.  */
+	  free(auth);
+	  free(pdata);
+	  auth = NULL;
+	  pdata = NULL;
 	  rpc_createerr.cf_stat = RPC_SYSTEMERROR;
 	  rpc_createerr.cf_error.re_errno = ENOMEM;
 	  goto cleanup;
@@ -437,12 +442,14 @@ next_token:
      
 cleanup:
      PRINTF(("gssapi_create: bailing\n\n"));
-     
-     if (AUTH_PRIVATE(auth))
-	  auth_gssapi_destroy(auth);
-     else if (auth)
-	  free(auth);
-     auth = NULL;
+
+     if (auth) {
+	 if (AUTH_PRIVATE(auth))
+	     auth_gssapi_destroy(auth);
+	 else
+	     free(auth);
+	 auth = NULL;
+     }
      
      /* don't assume the caller will want to change clnt->cl_auth */
      clnt->cl_auth = save_auth;