[krbdev.mit.edu #3924] the krb5_get_server_rcache routine frees already freed memory in error path

[The RT System itself via RT]

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Thu Jun 22 15:24:48 2006
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
	id PAA14927; Thu, 22 Jun 2006 15:24:48 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5MJOIFw025275
	for <krb5-send-pr at krbdev.mit.edu>; Thu, 22 Jun 2006 15:24:18 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5MFlGD9014360
	for <krb5-bugs-incoming at PCH.mit.edu>; Thu, 22 Jun 2006 11:47:16 -0400
Received: from skamandros.sncag.com ([217.111.56.2])
	by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
	k5MFl5Vo015803
	for <krb5-bugs at mit.edu>; Thu, 22 Jun 2006 11:47:11 -0400 (EDT)
Received: from skamandros.sncag.com (localhost [127.0.0.1])
	by skamandros.sncag.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id
	k5MFkxQQ006100
	for <krb5-bugs at mit.edu>; Thu, 22 Jun 2006 17:46:59 +0200
Received: (from rw at localhost)
	by skamandros.sncag.com (8.13.4/8.13.4/Submit) id k5MFkxks006097;
	Thu, 22 Jun 2006 17:46:59 +0200
Date: Thu, 22 Jun 2006 17:46:59 +0200
From: Rainer Weikusat <rainer.weikusat at sncag.com>
Message-Id: <200606221546.k5MFkxks006097 at skamandros.sncag.com>
To: krb5-bugs at mit.edu
Subject: double-free in srv_rcache.c
X-send-pr-version: 3.99
X-Spam-Score: 0
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Thu, 22 Jun 2006 15:24:17 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	Rainer Weikusat
>Organization:
	SNC AG
>Confidential:	no
>Synopsis:	the krb5_get_server_rcache routine frees already freed memory in error path
>Severity:	non-critical
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.4.3
>Environment:
	
System: Linux skamandros 2.6.16.18 #5 SMP Tue May 30 13:42:31 CEST 2006 i686 GNU/Linux
Architecture: i686

>Description:
	The krb5_get_server_rcache routine in src/lib/krb5/krb has a local
	variable named rcache which is freed before returning to the caller
	if its value is not a null pointer. The krb5_rc_resolve_full routine
	(in src/lib/krb5/rcache/rc_base.c) which is called by 
	krb5_get_server_rcache towards the end (l. 107) allocates memory for 
	a krb5 rcache descriptor structure and store the corresponding
	address at the location its parameter id points to. When called from
	krb5_get_server_rcache, this is the address of the rcache variable.
	If the type cannot be resolved (eg because hasn't been registered),
	the  memory is freed but the already initialized pointer is not 
	cleared, which causes the calling routine to attempt to free it
	for a second time.
>How-To-Repeat:
	Use the KRB5RCACHETYPE variable to request using a replay cache
	type unknown to the Kerberos library.
>Fix:
--- kerberos-srv-rcache-fix/src/lib/krb5/krb/srv_rcache.c	19 Mar 2006 14:42:00 -0000	1.1.1.1
+++ kerberos-srv-rcache-fix/src/lib/krb5/krb/srv_rcache.c	22 Jun 2006 15:26:59 -0000	1.1.1.1.12.1
@@ -115,17 +115,13 @@
     retval = krb5_rc_recover_or_initialize(context, rcache, context->clockskew);
     if (retval) {
 	krb5_rc_close(context, rcache);
-	rcache = 0;
 	goto cleanup;
     }
 
     *rcptr = rcache;
-    rcache = 0;
     retval = 0;
 
 cleanup:
-    if (rcache)
-	krb5_xfree(rcache);
     if (cachename)
 	krb5_xfree(cachename);
     return retval;