krb5 commit: Fix pkinit_server_verify_padata() error handling
ghudson at mit.edu
ghudson at mit.edu
Tue Jun 17 18:32:41 EDT 2025
https://github.com/krb5/krb5/commit/1113e746abd0c30b4522c75a99426185e6ab8772
commit 1113e746abd0c30b4522c75a99426185e6ab8772
Author: Anastasia Belova <nabelova31 at gmail.com>
Date: Mon Jun 2 12:28:49 2025 +0300
Fix pkinit_server_verify_padata() error handling
Avoid a null deference if pkinit_init_kdc_req_context() fails to
allocate reqctx.
[ghudson at mit.edu: fixed cleanup handler to work with reqctx == NULL
instead of avoiding the cleanup handler on allocation failure]
src/plugins/preauth/pkinit/pkinit_srv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 7a0fa69ee..13214d24e 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -605,7 +605,7 @@ pkinit_server_verify_padata(krb5_context context,
reqctx = NULL;
cleanup:
- if (retval && data->pa_type == KRB5_PADATA_PK_AS_REQ) {
+ if (retval && reqctx != NULL && data->pa_type == KRB5_PADATA_PK_AS_REQ) {
pkiDebug("pkinit_verify_padata failed: creating e-data\n");
if (pkinit_create_edata(context, plgctx->cryptoctx, reqctx->cryptoctx,
plgctx->idctx, plgctx->opts, retval, &e_data))
More information about the cvs-krb5
mailing list