oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

lib/krb5: krb5_config_parse_file_multi use after free

Browse Source 
If the file is not a regular file, the 'fname' buffer will be freed
before it is passed to the krb5_set_error_message() routine.  That
this is true is not obvious from code inspection but 'newfname'
and 'fname' refer to the same memory.

Change-Id: I7780eae9ceaf01b245df488a2f7d7f406770864f
This commit is contained in:
Jeffrey Altman
2017-03-18 11:06:45 -04:00
committed by Viktor Dukhovni
parent d8a112ae1a
commit 23ee804e9d
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/krb5/config_file.c
View File

@@ -658,9 +658,9 @@ krb5_config_parse_file_multi (krb5_context context,
if (!S_ISREG(st.st_mode)) { if (!S_ISREG(st.st_mode)) {
(void) fclose(f.f); (void) fclose(f.f);
context->config_include_depth--; context->config_include_depth--;
free(newfname);
krb5_set_error_message(context, EISDIR, "not a regular file %s: %s", krb5_set_error_message(context, EISDIR, "not a regular file %s: %s",
fname, strerror(EISDIR)); fname, strerror(EISDIR));
free(newfname);
return EISDIR; return EISDIR;
} }