diff options
| author | Julien Rische <jrische@redhat.com> | 2023-02-01 15:57:26 +0100 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2023-03-01 17:06:05 -0500 |
| commit | fddd419fc4112a118d8091e296cc2bfa8d8f777b (patch) | |
| tree | 3c832d7d546f8b9079d68f70663db5672a5f9db9 | |
| parent | 9139a60c94c24e41109574e84e7cda9c2dc3fb38 (diff) | |
| download | krb5-fddd419fc4112a118d8091e296cc2bfa8d8f777b.tar.gz | |
Fix possible double-free during KDB creation
In krb5_dbe_def_encrypt_key_data(), when we free
key_data->key_data_contents[0], reset it to null so the caller doesn't
free it as well.
Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
manifests as a double-free during KDB creation if master key
encryption fails.
[ghudson@mit.edu: edited commit message]
ticket: 9086 (new)
tags: pullup
target_version: 1.20-next
| -rw-r--r-- | src/lib/kdb/encrypt_key.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c index dc612c810..91debea53 100644 --- a/src/lib/kdb/encrypt_key.c +++ b/src/lib/kdb/encrypt_key.c @@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context, if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0, &plain, &cipher))) { free(key_data->key_data_contents[0]); + key_data->key_data_contents[0] = NULL; return retval; } @@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context, key_data->key_data_contents[1] = malloc(keysalt->data.length); if (key_data->key_data_contents[1] == NULL) { free(key_data->key_data_contents[0]); + key_data->key_data_contents[0] = NULL; return ENOMEM; } memcpy(key_data->key_data_contents[1], keysalt->data.data, |