Better fix: Delay setting 'outbuf' until after the header buffer might

have been allocated locally, and set it in both code paths instead of
just the confidentiality-requested code path.

ticket: 6412
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22082 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 2 insertions, 3 deletions

diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c
index 85f9036b30..c30352b0a5 100644
--- a/src/lib/gssapi/krb5/k5sealv3iov.c
+++ b/src/lib/gssapi/krb5/k5sealv3iov.c
@@ -90,8 +90,6 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context,
 
     trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
 
-    outbuf = (unsigned char *)header->buffer.value;
-
     if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
         unsigned int k5_headerlen, k5_trailerlen, k5_padlen;
         size_t ec = 0;
@@ -131,11 +129,11 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context,
 
         if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
             code = kg_allocate_iov(header, (size_t) gss_headerlen);
-            outbuf = (unsigned char *)header->buffer.value;
         } else if (header->buffer.length < gss_headerlen)
             code = KRB5_BAD_MSIZE;
         if (code != 0)
             goto cleanup;
+        outbuf = (unsigned char *)header->buffer.value;
         header->buffer.length = (size_t) gss_headerlen;
 
         if (trailer != NULL) {
@@ -205,6 +203,7 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context,
             code = KRB5_BAD_MSIZE;
         if (code != 0)
             goto cleanup;
+        outbuf = (unsigned char *)header->buffer.value;
         header->buffer.length = (size_t) gss_headerlen;
 
         if (trailer != NULL) {