diff options
| author | Tom Yu <tlyu@mit.edu> | 2005-12-28 23:02:32 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2005-12-28 23:02:32 +0000 |
| commit | c71bc32aaa17cc9c1e03f2cd158b55b96d816a82 (patch) | |
| tree | a8eebb4dc15e3ab825a35c0609d9f39d5e697053 /src/lib | |
| parent | 3afc54e352d2d87ba7c7204ef4a0c323255156e4 (diff) | |
| download | krb5-c71bc32aaa17cc9c1e03f2cd158b55b96d816a82.tar.gz krb5-c71bc32aaa17cc9c1e03f2cd158b55b96d816a82.tar.xz krb5-c71bc32aaa17cc9c1e03f2cd158b55b96d816a82.zip | |
* gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Cause free_tgt and
free_otgt to track the states of tgt and otgt correctly, to avoid
a double-free condition which previously happened when this
function returned to krb5_get_credentials(), which proceeded to
free a previously freed TGT in the returned TGT list.
ticket: 3313
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17578 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/krb5/krb/ChangeLog | 8 | ||||
| -rw-r--r-- | src/lib/krb5/krb/gc_frm_kdc.c | 23 |
2 files changed, 19 insertions, 12 deletions
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 90c03df6a..8c91b1a60 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,11 @@ +2005-12-28 Tom Yu <tlyu@mit.edu> + + * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Cause free_tgt and + free_otgt to track the states of tgt and otgt correctly, to avoid + a double-free condition which previously happened when this + function returned to krb5_get_credentials(), which proceeded to + free a previously freed TGT in the returned TGT list. + 2005-10-19 Ken Raeburn <raeburn@mit.edu> * Makefile.in (t_ser): Add dl library and thread link options, diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index 70ca55f4e..a4a0118f6 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -230,15 +230,15 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, &tgtq.server))) goto cleanup; + if (free_otgt) + krb5_free_cred_contents(context, &otgt); otgt = tgt; - free_otgt = 1; + free_otgt = free_tgt; free_tgt = 0; retval = krb5_cc_retrieve_cred(context, ccache, retr_flags, &tgtq, &tgt); if (retval == 0) { - krb5_free_cred_contents(context, &otgt); - free_otgt = 0; free_tgt = 1; /* We are now done - proceed to got/finally have tgt */ } else { @@ -250,8 +250,8 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, /* with current tgt. */ /* Copy back in case invalided */ tgt = otgt; + free_tgt = free_otgt; free_otgt = 0; - free_tgt = 1; if (!krb5_c_valid_enctype(tgt.keyblock.enctype)) { retval = KRB5_PROG_ETYPE_NOSUPP; goto cleanup; @@ -304,16 +304,15 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, &tgtq.server))) goto cleanup; + if (free_otgt) + krb5_free_cred_contents(context, &otgt); otgt = tgt; - free_otgt = 1; + free_otgt = free_tgt; free_tgt = 0; retval = krb5_cc_retrieve_cred(context, ccache, retr_flags, &tgtq, &tgt); if (retval == 0) { - if (free_otgt) - krb5_free_cred_contents(context, &otgt); - free_otgt = 0; free_tgt = 1; /* Continues with 'got one as close as possible' */ } else { @@ -324,8 +323,8 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, /* not in the cache so try and get one with our current tgt. */ tgt = otgt; + free_tgt = free_otgt; free_otgt = 0; - free_tgt = 1; if (!krb5_c_valid_enctype(tgt.keyblock.enctype)) { retval = KRB5_PROG_ETYPE_NOSUPP; goto cleanup; @@ -359,9 +358,9 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_free_creds(context, tgtr); tgtr = NULL; - if (free_otgt) { - krb5_free_cred_contents(context, &otgt); - free_otgt = 0; + if (free_tgt) { + krb5_free_cred_contents(context, &tgt); + free_tgt = 0; } tgt = *ret_tgts[ntgts++]; |