From 1a0e5358711a6295ff1df7d7e51f70fc59c4cf86 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Mon, 2 Jan 2023 20:52:24 -0600
Subject: [PATCH] hpropd: Fix use-after-free? (WIP)

---
 kdc/hpropd.c | 38 ++++++++++++++++----------------------
 1 file changed, 16 insertions(+), 22 deletions(-)

diff --git a/kdc/hpropd.c b/kdc/hpropd.c
index fa06a1fd4..255d60949 100644
--- a/kdc/hpropd.c
+++ b/kdc/hpropd.c
@@ -78,7 +78,7 @@ main(int argc, char **argv)
     krb5_socket_t sock = rk_INVALID_SOCKET;
     HDB *db = NULL;
     int optidx = 0;
-    char *tmp_db;
+    char *tmp_db = NULL;
     krb5_log_facility *fac;
     int nprincs;
 
@@ -208,20 +208,15 @@ main(int argc, char **argv)
 	    krb5_err(context, 1, ret, "krb5_kt_close");
     }
 
-    if (!print_dump) {
-	int aret;
+    if (asprintf(&tmp_db, "%s~", database) < 0 || tmp_db == NULL)
+	krb5_errx(context, 1, "hdb_create: out of memory");
 
-	aret = asprintf(&tmp_db, "%s~", database);
-	if (aret == -1)
-	    krb5_errx(context, 1, "hdb_create: out of memory");
-
-	ret = hdb_create(context, &db, tmp_db);
-	if (ret)
-	    krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db);
-	ret = db->hdb_open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600);
-	if (ret)
-	    krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db);
-    }
+    ret = hdb_create(context, &db, tmp_db);
+    if (ret)
+	krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db);
+    ret = db->hdb_open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600);
+    if (ret)
+	krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db);
 
     nprincs = 0;
     while (1){
@@ -244,14 +239,6 @@ main(int argc, char **argv)
 		data.length = 0;
 		krb5_write_priv_message(context, ac, &sock, &data);
 	    }
-	    if (!print_dump) {
-		ret = db->hdb_close(context, db);
-		if (ret)
-		    krb5_err(context, 1, ret, "db_close");
-		ret = db->hdb_rename(context, db, database);
-		if (ret)
-		    krb5_err(context, 1, ret, "db_rename");
-	    }
 	    break;
 	}
 	memset(&entry, 0, sizeof(entry));
@@ -284,6 +271,13 @@ main(int argc, char **argv)
     if (!print_dump)
 	krb5_log(context, fac, 0, "Received %d principals", nprincs);
 
+    ret = db->hdb_close(context, db);
+    if (ret)
+	krb5_err(context, 1, ret, "db_close");
+    ret = db->hdb_rename(context, db, database);
+    if (ret)
+	krb5_err(context, 1, ret, "db_rename");
+
     if (inetd_flag == 0)
 	rk_closesocket(sock);