[krbdev.mit.edu #8708] Incorrect error handling in OTP plugin
Robbie Harwood via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Thu Jun 21 14:38:20 EDT 2018
In otp_state.c:callback(), if we did not receive an accept packet, but
were not out of tokens, we invoke request_send() and then fall through
to the error case. This results in two things happening:
- First, we yield a failure. If request_send() succeeded, then we
erroneously report failure. But if request_send() has failed, we
report the failure again, and request_send() has already freed the
request object (making this a use-after-free).
- Second, we call request_free(). However, since request_send()
may have already freed the request, this is a double-free.
Thanks,
--Robbie
More information about the krb5-bugs
mailing list