krb5 commit [krb5-1.20]: Fix possible double-free during KDB creation
ghudson at mit.edu
ghudson at mit.edu
Tue Jul 11 18:56:42 EDT 2023
https://github.com/krb5/krb5/commit/81a226597d5d92c0c96a063da53a586a7cdd9bb7
commit 81a226597d5d92c0c96a063da53a586a7cdd9bb7
Author: Julien Rische <jrische at redhat.com>
Date: Wed Feb 1 15:57:26 2023 +0100
Fix possible double-free during KDB creation
In krb5_dbe_def_encrypt_key_data(), when we free
key_data->key_data_contents[0], reset it to null so the caller doesn't
free it as well.
Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
manifests as a double-free during KDB creation if master key
encryption fails.
[ghudson at mit.edu: edited commit message]
(cherry picked from commit fddd419fc4112a118d8091e296cc2bfa8d8f777b)
ticket: 9086
version_fixed: 1.20.2
src/lib/kdb/encrypt_key.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c
index dc612c810..91debea53 100644
--- a/src/lib/kdb/encrypt_key.c
+++ b/src/lib/kdb/encrypt_key.c
@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context,
if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,
&plain, &cipher))) {
free(key_data->key_data_contents[0]);
+ key_data->key_data_contents[0] = NULL;
return retval;
}
@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context,
key_data->key_data_contents[1] = malloc(keysalt->data.length);
if (key_data->key_data_contents[1] == NULL) {
free(key_data->key_data_contents[0]);
+ key_data->key_data_contents[0] = NULL;
return ENOMEM;
}
memcpy(key_data->key_data_contents[1], keysalt->data.data,
More information about the cvs-krb5
mailing list