oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: _kdc_do_kx509 fix use after free error

Browse Source 
In _kdc_do_kx509() do not free 'principal' until after its last
use.  Move declaration to top of function and free it during the
common exit processing.

Introduced by 10a5976e45.

Change-Id: Iaf000eb090b0fa523f04a4864c6b17058d922995
This commit is contained in:
Jeffrey Altman
2017-01-13 15:00:46 -05:00
parent 5d4a8a04f5
commit 303c62533f
1 changed files with 22 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
kdc/kx509.c
View File

@@ -338,6 +338,7 @@ _kdc_do_kx509(krb5_context context,
krb5_auth_context ac = NULL; krb5_auth_context ac = NULL;
krb5_keytab id = NULL; krb5_keytab id = NULL;
krb5_principal sprincipal = NULL, cprincipal = NULL; krb5_principal sprincipal = NULL, cprincipal = NULL;
krb5_principal principal = NULL;
char *cname = NULL; char *cname = NULL;
Kx509Response rep; Kx509Response rep;
size_t size; size_t size;
@@ -398,36 +399,31 @@ _kdc_do_kx509(krb5_context context,
if (ret) if (ret)
goto out; goto out;
{ ret = krb5_ticket_get_server(context, ticket, &principal);
krb5_principal principal = NULL; if (ret)
goto out;
ret = krb5_ticket_get_server(context, ticket, &principal); ret = krb5_principal_compare(context, sprincipal, principal);
if (ret != TRUE) {
char *expected, *used;
ret = krb5_unparse_name(context, sprincipal, &expected);
if (ret) if (ret)
goto out; goto out;
ret = krb5_unparse_name(context, principal, &used);
ret = krb5_principal_compare(context, sprincipal, principal); if (ret) {
krb5_free_principal(context, principal);
if (ret != TRUE) {
char *expected, *used;
ret = krb5_unparse_name(context, sprincipal, &expected);
if (ret)
goto out;
ret = krb5_unparse_name(context, principal, &used);
if (ret) {
krb5_xfree(expected);
goto out;
}
ret = KRB5KDC_ERR_SERVER_NOMATCH;
krb5_set_error_message(context, ret,
"User %s used wrong Kx509 service "
"principal, expected: %s, used %s",
cname, expected, used);
krb5_xfree(expected); krb5_xfree(expected);
krb5_xfree(used);
goto out; goto out;
} }
ret = KRB5KDC_ERR_SERVER_NOMATCH;
krb5_set_error_message(context, ret,
"User %s used wrong Kx509 service "
"principal, expected: %s, used %s",
cname, expected, used);
krb5_xfree(expected);
krb5_xfree(used);
goto out;
} }
ret = krb5_auth_con_getkey(context, ac, &key); ret = krb5_auth_con_getkey(context, ac, &key);
@@ -519,6 +515,8 @@ out:
krb5_free_principal(context, sprincipal); krb5_free_principal(context, sprincipal);
if (cprincipal) if (cprincipal)
krb5_free_principal(context, cprincipal); krb5_free_principal(context, cprincipal);
if (principal)
krb5_free_principal(context, principal);
if (key) if (key)
krb5_free_keyblock (context, key); krb5_free_keyblock (context, key);
if (cname) if (cname)