Fix unlikely double free in PKINIT client code

In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again.  This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.

ticket: 7878 (new)
target_version: 1.12.2
tags: pullup

1 files changed, 1 insertions, 2 deletions

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index bfa25ae61..cfef5b9dc 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -212,7 +212,6 @@ pa_pkinit_gen_req(krb5_context context,
 cleanup:
     if (der_req != NULL)
         krb5_free_data(context, der_req);
-    free(out_data);
 
     if (retval) {
         if (return_pa_data) {
@@ -222,9 +221,9 @@ cleanup:
         }
         if (out_data) {
             free(out_data->data);
-            free(out_data);
         }
     }
+    free(out_data);
     return retval;
 }