fix MITKRB5-SA-2005-003 krb5_recvauth double-free

	* recvauth.c (recvauth_common): Avoid double-free on invalid
	version string.  Thanks to Magnus Hagander.  Fix for
	MITKRB5-SA-2005-003 [CAN-2005-1689, VU#623332].

ticket: new
target_version: 1.4.2
tags: pullup
component: krb5-libs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17299 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 4 insertions, 2 deletions

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index ce0b970efa..4128f0afb5 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,5 +1,9 @@
 2005-07-12  Tom Yu  <tlyu@mit.edu>
 
+	* recvauth.c (recvauth_common): Avoid double-free on invalid
+	version string.  Thanks to Magnus Hagander.  Fix for
+	MITKRB5-SA-2005-003 [CAN-2005-1689, VU#623332].
+
 	* unparse.c (krb5_unparse_name_ext): Account for zero-component
 	principal, to avoid single-byte overflow.  Thanks to Daniel
 	Wachdorf.  Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1175,
diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
index e69be67f0f..92bcad7a9a 100644
--- a/src/lib/krb5/krb/recvauth.c
+++ b/src/lib/krb5/krb/recvauth.c
@@ -75,7 +75,6 @@ recvauth_common(krb5_context context,
 	    if ((retval = krb5_read_message(context, fd, &inbuf)))
 		return(retval);
 	    if (strcmp(inbuf.data, sendauth_version)) {
-		krb5_xfree(inbuf.data);
 		problem = KRB5_SENDAUTH_BADAUTHVERS;
 	    }
 	    krb5_xfree(inbuf.data);
@@ -89,7 +88,6 @@ recvauth_common(krb5_context context,
 	if ((retval = krb5_read_message(context, fd, &inbuf)))
 		return(retval);
 	if (appl_version && strcmp(inbuf.data, appl_version)) {
-		krb5_xfree(inbuf.data);
 		if (!problem)
 			problem = KRB5_SENDAUTH_BADAPPLVERS;
 	}