[krbdev.mit.edu #6817] potential null dereference in gss mechglue

[Arlene Berry via RT]

In src/lib/gssapi/mechglue/g_canon_name.c in gss_canonicalize_name in
the allocation_failure section out_union is dereferenced without first
checking whether it was allocated. 

--- src/lib/gssapi/mechglue/g_canon_name.c	(revision 52314)
+++ src/lib/gssapi/mechglue/g_canon_name.c	(revision 52315)
@@ -153,14 +153,17 @@
 allocation_failure:
 	/* do not delete the src name external name format */
 	if (output_name) {
-		if (out_union->external_name) {
-			if (out_union->external_name->value)
-				free(out_union->external_name->value);
-			free(out_union->external_name);
+		if (out_union)
+		{
+			if (out_union->external_name) {
+				if (out_union->external_name->value)
+
free(out_union->external_name->value);
+				free(out_union->external_name);
+			}
+			if (out_union->name_type)
+				(void) gss_release_oid(minor_status,
+					    &out_union->name_type);
 		}
-		if (out_union->name_type)
-			(void) gss_release_oid(minor_status,
-					    &out_union->name_type);
 
 		dest_union = out_union;
 	} else
@@ -171,16 +174,18 @@
 	 * applies for both src and dest which ever is being used for
output
 	 */
 
-	if (dest_union->mech_name) {
-		(void) gssint_release_internal_name(minor_status,
+	if (dest_union)
+	{
+		if (dest_union->mech_name) {
+			(void)
gssint_release_internal_name(minor_status,
 						dest_union->mech_type,
 						&dest_union->mech_name);
+		}
+
+		if (dest_union->mech_type)
+			(void) gss_release_oid(minor_status,
&dest_union->mech_type);
 	}
 
-	if (dest_union->mech_type)
-		(void) gss_release_oid(minor_status,
&dest_union->mech_type);
-
-
 	if (output_name)
 		free(out_union);