diff options
author | Julien Rische <jrische@redhat.com> | 2023-02-01 15:57:26 +0100 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2023-07-06 17:14:49 -0400 |
commit | 81a226597d5d92c0c96a063da53a586a7cdd9bb7 (patch) | |
tree | a2398468d1ab1093d58a15a0ea311fed09027bca | |
parent | eb886f626526769e596443314bcbe4e8bd9d84ee (diff) | |
download | krb5-81a226597d5d92c0c96a063da53a586a7cdd9bb7.zip krb5-81a226597d5d92c0c96a063da53a586a7cdd9bb7.tar.gz krb5-81a226597d5d92c0c96a063da53a586a7cdd9bb7.tar.bz2 |
Fix possible double-free during KDB creation
In krb5_dbe_def_encrypt_key_data(), when we free
key_data->key_data_contents[0], reset it to null so the caller doesn't
free it as well.
Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
manifests as a double-free during KDB creation if master key
encryption fails.
[ghudson@mit.edu: edited commit message]
(cherry picked from commit fddd419fc4112a118d8091e296cc2bfa8d8f777b)
ticket: 9086
version_fixed: 1.20.2
-rw-r--r-- | src/lib/kdb/encrypt_key.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c index dc612c8..91debea 100644 --- a/src/lib/kdb/encrypt_key.c +++ b/src/lib/kdb/encrypt_key.c @@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context, if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0, &plain, &cipher))) { free(key_data->key_data_contents[0]); + key_data->key_data_contents[0] = NULL; return retval; } @@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context, key_data->key_data_contents[1] = malloc(keysalt->data.length); if (key_data->key_data_contents[1] == NULL) { free(key_data->key_data_contents[0]); + key_data->key_data_contents[0] = NULL; return ENOMEM; } memcpy(key_data->key_data_contents[1], keysalt->data.data, |