summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5
diff options
context:
space:
mode:
authorLukas Slebodnik <lslebodn@redhat.com>2014-04-08 10:56:22 +0200
committerJakub Hrozek <jhrozek@redhat.com>2014-04-08 14:12:23 +0200
commit47bc2d6639c41da1e5bac37eb4af3559bbc0e10e (patch)
tree0bc82e199cf373bead318d8d32d768d446e26da0 /src/providers/krb5
parentdce1791fc357bebf938f9af93d7e0ec72ac7f719 (diff)
downloadsssd-47bc2d6639c41da1e5bac37eb4af3559bbc0e10e.tar.gz
sssd-47bc2d6639c41da1e5bac37eb4af3559bbc0e10e.tar.xz
sssd-47bc2d6639c41da1e5bac37eb4af3559bbc0e10e.zip
krb5_child: Fix use after free in debug message
debug_prg_name is used in debug_fn and it was allocated under talloc context "kr". The variable "kr" was removed before the last debug messages in function main. It is very little change that it will be overridden. It is possible to see this issue with exported environment variable TALLOC_FREE_FILL=255 Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers/krb5')
-rw-r--r--src/providers/krb5/krb5_child.c26
1 files changed, 15 insertions, 11 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index c243d063b..81f86bbe8 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1999,14 +1999,9 @@ int main(int argc, const char *argv[])
DEBUG_INIT(debug_level);
- kr = talloc_zero(NULL, struct krb5_req);
- if (kr == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
- exit(-1);
- }
-
- debug_prg_name = talloc_asprintf(kr, "[sssd[krb5_child[%d]]]", getpid());
+ debug_prg_name = talloc_asprintf(NULL, "[sssd[krb5_child[%d]]]", getpid());
if (!debug_prg_name) {
+ debug_prg_name = "[sssd[krb5_child]]";
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
ret = ENOMEM;
goto done;
@@ -2021,6 +2016,14 @@ int main(int argc, const char *argv[])
DEBUG(SSSDBG_TRACE_FUNC, "krb5_child started.\n");
+ kr = talloc_zero(NULL, struct krb5_req);
+ if (kr == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ talloc_steal(kr, debug_prg_name);
+
ret = k5c_recv_data(kr, STDIN_FILENO, &offline);
if (ret != EOK) {
goto done;
@@ -2079,13 +2082,14 @@ int main(int argc, const char *argv[])
}
done:
- krb5_cleanup(kr);
- talloc_free(kr);
if (ret == EOK) {
DEBUG(SSSDBG_TRACE_FUNC, "krb5_child completed successfully\n");
- exit(0);
+ ret = 0;
} else {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_child failed!\n");
- exit(-1);
+ ret = -1;
}
+ krb5_cleanup(kr);
+ talloc_free(kr);
+ exit(ret);
}
generated by cgit (git 2.34.1) at 2024-05-03 00:15:49 +0000