From f8ba91164c1640053e9b7226fef8fb423f19c478 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 18 Sep 2023 09:09:23 +1200
Subject: [PATCH] =?UTF-8?q?kdc:=20Don=E2=80=99t=20use=20uninitialized=20va?=
 =?UTF-8?q?riable?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The call to free_KDCDHKeyInfo(), further down, could have caused heap
corruption.

Found by Coverity (Samba CID 1544611).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 kdc/pkinit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index d06fc32cf..96cc9a176 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -1045,9 +1045,9 @@ pk_mk_pa_reply_dh(krb5_context context,
         unsigned char *p;
         ret = _kdc_serialize_ecdh_key(context, cp->u.ecdh.key, &p,
                                       &dh_info.subjectPublicKey.length);
-        dh_info.subjectPublicKey.data = p;
         if (ret)
             goto out;
+        dh_info.subjectPublicKey.data = p;
     } else
 	krb5_abortx(context, "no keyex selected ?");