[krbdev.mit.edu #7162] krb5_verify_init_creds frees its input argument
Russ Allbery <rra@stanford.edu> via RT
rt-comment at krbdev.mit.edu
Wed Jun 6 17:42:57 EDT 2012
Commit caf1fdd98690019d9ac9f56125f4916cfbdfd2d4 introduced a bug in
krb5_verify_init_creds that causes it to unconditionally free the
caller-provided server krb5_principal argument.
The previous code contained this branch to preserve the input argument:
- if (server_arg) {
- ret = krb5_copy_principal(context, server_arg, &server);
- if (ret)
- goto cleanup;
so that server could later be unconditionally freed. This
krb5_copy_principal was dropped by the refactoring. This results in a
double-free for callers, like pam-krb5, that expect to be responsible
for freeing the krb5_principal that they're passing in.
More information about the krb5-bugs
mailing list