Fix kdec.length or we may try to double free() or free() uninitiualized data.

author: Simo Sorce <ssorce@redhat.com> 2007-12-07 18:09:49 -0500
committer: Simo Sorce <ssorce@redhat.com> 2007-12-07 18:09:49 -0500
commit: 647063253e31f543246e271ba07ddbf9e1dd74ed (patch)
tree: c205ac4d1dccf98992e1f5b7eb8a2951a213c422 /ipa-server
parent: 0b51e326996dd6a01fdca8a0b5a5160ca03c660b (diff)
download: freeipa-647063253e31f543246e271ba07ddbf9e1dd74ed.tar.gz
freeipa-647063253e31f543246e271ba07ddbf9e1dd74ed.tar.xz
freeipa-647063253e31f543246e271ba07ddbf9e1dd74ed.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c
index b0020c04f..99dfe678f 100644
--- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c
+++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c
@@ -664,6 +664,8 @@ void handle_krb_packets(uint8_t *buf, ssize_t buflen,
 	auth_context = NULL;
 	krep.length = 0;
 	krep.data = NULL;
+	kdec.length = 0;
+	kdec.data = NULL;
 	kprincpw = NULL;
 	context = NULL;
 	ticket = NULL;
@@ -859,6 +861,7 @@ void handle_krb_packets(uint8_t *buf, ssize_t buflen,
 	/* make sure password is cleared off before we free the memory */
 	memset(kdec.data, 0, kdec.length);
 	free(kdec.data);
+	kdec.length = 0;
 
 kpreply:
 
@@ -867,6 +870,7 @@ kpreply:
 	kdec.data = malloc(kdec.length);
 	if (!kdec.data) {
 		syslog(LOG_ERR, "Out of memory!");
+		kdec.length = 0;
 		goto done;
 	}
author	Simo Sorce <ssorce@redhat.com>	2007-12-07 18:09:49 -0500
committer	Simo Sorce <ssorce@redhat.com>	2007-12-07 18:09:49 -0500
commit	647063253e31f543246e271ba07ddbf9e1dd74ed (patch)
tree	c205ac4d1dccf98992e1f5b7eb8a2951a213c422 /ipa-server
parent	0b51e326996dd6a01fdca8a0b5a5160ca03c660b (diff)
download	freeipa-647063253e31f543246e271ba07ddbf9e1dd74ed.tar.gz freeipa-647063253e31f543246e271ba07ddbf9e1dd74ed.tar.xz freeipa-647063253e31f543246e271ba07ddbf9e1dd74ed.zip