From 23ee804e9d23ed83a3a502501dbe5fe50ab9094a Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 18 Mar 2017 11:06:45 -0400 Subject: [PATCH] lib/krb5: krb5_config_parse_file_multi use after free If the file is not a regular file, the 'fname' buffer will be freed before it is passed to the krb5_set_error_message() routine. That this is true is not obvious from code inspection but 'newfname' and 'fname' refer to the same memory. Change-Id: I7780eae9ceaf01b245df488a2f7d7f406770864f --- lib/krb5/config_file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/krb5/config_file.c b/lib/krb5/config_file.c index 50c12173d..86e9ad5d6 100644 --- a/lib/krb5/config_file.c +++ b/lib/krb5/config_file.c @@ -658,9 +658,9 @@ krb5_config_parse_file_multi (krb5_context context, if (!S_ISREG(st.st_mode)) { (void) fclose(f.f); context->config_include_depth--; - free(newfname); krb5_set_error_message(context, EISDIR, "not a regular file %s: %s", fname, strerror(EISDIR)); + free(newfname); return EISDIR; }