krb5 commit: Fix bugs in previous cc_file.c changes
Greg Hudson
ghudson at mit.edu
Tue Jan 20 21:56:21 EST 2015
https://github.com/krb5/krb5/commit/14f039b40efd91b93b1148765bf0b7d3c90db58a
commit 14f039b40efd91b93b1148765bf0b7d3c90db58a
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Dec 16 12:57:56 2014 -0500
Fix bugs in previous cc_file.c changes
In fcc_destroy and krb5int_fcc_new_unique, call set_errmsg_filename
before deleting the cache handle, or else the reference to
data->filename is a use after free.
In set_errmsg_filename, do nothing if the code is 0, as we don't have
an error to annotate.
ticket: 8052
src/lib/krb5/ccache/cc_file.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index de9c968..6789c09 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -117,6 +117,8 @@ static krb5_error_code
set_errmsg_filename(krb5_context context, krb5_error_code ret,
const char *fname)
{
+ if (!ret)
+ return 0;
k5_setmsg(context, ret, "%s (filename: %s)", error_message(ret), fname);
return ret;
}
@@ -644,12 +646,13 @@ fcc_destroy(krb5_context context, krb5_ccache id)
#endif /* MSDOS_FILESYSTEM */
cleanup:
+ (void)set_errmsg_filename(context, ret, data->filename);
k5_cc_mutex_unlock(context, &data->lock);
free_fccdata(context, data);
free(id);
krb5_change_cache();
- return set_errmsg_filename(context, ret, data->filename);
+ return ret;
}
extern const krb5_cc_ops krb5_fcc_ops;
@@ -893,11 +896,12 @@ krb5int_fcc_new_unique(krb5_context context, char *template, krb5_ccache *id)
return 0;
err_out:
+ (void)set_errmsg_filename(context, ret, data->filename);
k5_cc_mutex_unlock(context, &data->lock);
k5_cc_mutex_destroy(&data->lock);
free(data->filename);
free(data);
- return set_errmsg_filename(context, ret, data->filename);
+ return ret;
}
/*
More information about the cvs-krb5
mailing list