From 124b8d0f7823663bec212ec3e8c049cfc391e3cd Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Fri, 21 Jan 2022 09:16:35 -0500
Subject: [PATCH] kadmin: kadmind_dispatch do not write NULL 'rsp' to 'out'

1b213c1082be4ef5a1c23928d614c762f837dbe7 ("kadmind: Add missing
error checks") altered the behavior of kadmin_dispatch() such that
it unconditionally called

      krb5_storage_to_data(rsp, out);

This change was unsafe because krb5_unparse_name_fixed() failure
would skip the allocation of the 'rsp' and 'sp' krb5_storage
objects.

This change allocates the krb5_storage objects prior to performing
any work.  If either of them fail, kadmin_dispatch() immediately
returns ENOMEM.

Change-Id: I14fd96afe029a4e74bb769605286ca0e17d25043
---
 kadmin/server.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/kadmin/server.c b/kadmin/server.c
index dbd2f81b2..e303a48e2 100644
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -59,22 +59,25 @@ kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
     char **princs;
     int n_princs;
     int keys_ok = 0;
-    krb5_storage *rsp = NULL; /* response goes here */
-    krb5_storage *sp = NULL;
+    krb5_storage *rsp; /* response goes here */
+    krb5_storage *sp;
     int len;
 
     memset(&ent, 0, sizeof(ent));
     memset(&ent_prev, 0, sizeof(ent_prev));
     krb5_data_zero(out);
 
-    ret = krb5_unparse_name_fixed(contextp->context, contextp->caller,
-                                  client, sizeof(client));
-    if (ret == 0) {
-        rsp = krb5_storage_emem();
-        sp = krb5_storage_from_data(in);
-        if (rsp == NULL || sp == NULL)
-            ret = krb5_enomem(contextp->context);
+    rsp = krb5_storage_emem();
+    if (rsp == NULL)
+	return krb5_enomem(contextp->context);
+
+    sp = krb5_storage_from_data(in);
+    if (sp == NULL) {
+	krb5_storage_free(rsp);
+	return krb5_enomem(contextp->context);
     }
+
+    ret = krb5_unparse_name_fixed(contextp->context, contextp->caller,
     if (ret == 0)
         ret = krb5_ret_int32(sp, &cmd);
     if (ret)