diff options
author | Greg Hudson <ghudson@mit.edu> | 2014-03-13 18:34:22 -0400 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2015-02-06 17:05:21 -0500 |
commit | 32d98df8acbc7155b513142c8b6e5ce6b5fb78d8 (patch) | |
tree | eccd056f2835582e49cbebc7ed8811472815083d | |
parent | 9405da09b12766e3e88ce0fe543b43ee8b3b680f (diff) | |
download | krb5-32d98df8acbc7155b513142c8b6e5ce6b5fb78d8.zip krb5-32d98df8acbc7155b513142c8b6e5ce6b5fb78d8.tar.gz krb5-32d98df8acbc7155b513142c8b6e5ce6b5fb78d8.tar.bz2 |
Fix unlikely double free in PKINIT client code
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again. This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.
(cherry picked from commit cc002d6c1ccfc08356d01ba83e72a46855d0302c)
ticket: 8091 (new)
version_fixed: 1.11.6
status: resolved
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index f84012c..c4a58cd 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -211,7 +211,6 @@ pa_pkinit_gen_req(krb5_context context, cleanup: if (der_req != NULL) krb5_free_data(context, der_req); - free(out_data); if (retval) { if (return_pa_data) { @@ -221,9 +220,9 @@ cleanup: } if (out_data) { free(out_data->data); - free(out_data); } } + free(out_data); return retval; } |