From 5e4d827e6153a833918bb2670aed9708ea3b51a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Wed, 25 Mar 2009 15:37:21 +0000 Subject: [PATCH] Patch from Riverbed (Derrick Pallas) under the license of the files they are in: Fix resource leak in heimdal/krb5/fcache/fcc_remove_cred In fcache, fcc_remove_cred generates a ccache called "newfile," which is not cleaned up if the final call (krb5_cc_move) fails. Free of uninitialized value in fcache/fcc_move(...) If init_fcc fails to acquire a file handle, sp will be uninitialized. If this is the case, the call to krb5_storage_free will dereference this uninitialized value, which causes undefined behaviour. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24944 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/krb5/fcache.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/krb5/fcache.c b/lib/krb5/fcache.c index 0d8e77ff9..d34f041cf 100644 --- a/lib/krb5/fcache.c +++ b/lib/krb5/fcache.c @@ -770,7 +770,13 @@ fcc_remove_cred(krb5_context context, return ret; } - return krb5_cc_move(context, newfile, id); + ret = krb5_cc_move(context, newfile, id); + if (ret) { + krb5_cc_destroy(context, newfile); + return ret; + } + + return ret; } static krb5_error_code @@ -914,7 +920,8 @@ fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to) krb5_storage *sp; int fd; ret = init_fcc (context, to, &sp, &fd); - krb5_storage_free(sp); + if (sp) + krb5_storage_free(sp); fcc_unlock(context, fd); close(fd); }