Fix a free before use bug, it may lead to crashes but usually just corruptsrelease-1-2-0

the changepw dn we store so that it won't match. This causes normal password
changes to be interpreted as password resets instead, and the new legit
password is immediately expired.

1 files changed, 2 insertions, 3 deletions

diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 90474809e..ca367c816 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -3821,7 +3821,7 @@ static int ipapwd_start( Slapi_PBlock *pb )
 {
 	krb5_context krbctx;
 	krb5_error_code krberr;
-	char *realm;
+	char *realm = NULL;
 	char *config_dn;
 	char *partition_dn;
 	Slapi_Entry *config_entry = NULL;
@@ -3861,11 +3861,9 @@ static int ipapwd_start( Slapi_PBlock *pb )
 	ipa_realm_dn = slapi_ch_smprintf("cn=%s,cn=kerberos,%s", realm, partition_dn);
 	if (!ipa_realm_dn) {
 		slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory ?\n");
-		free(realm);
 		ret = LDAP_OPERATIONS_ERROR;
 		goto done;
 	}
-	free(realm);
 
     ipa_pwd_config_dn = slapi_ch_strdup(config_dn);
     if (!ipa_pwd_config_dn) {
@@ -3885,6 +3883,7 @@ static int ipapwd_start( Slapi_PBlock *pb )
     ret = LDAP_SUCCESS;
 
 done:
+	free(realm);
 	krb5_free_context(krbctx);
 	if (config_entry) slapi_entry_free(config_entry);
 	return ret;