In src/lib/gssapi/mechglue/g_canon_name.c in gss_canonicalize_name in the allocation_failure section out_union is dereferenced without first checking whether it was allocated. --- src/lib/gssapi/mechglue/g_canon_name.c (revision 52314) +++ src/lib/gssapi/mechglue/g_canon_name.c (revision 52315) @@ -153,14 +153,17 @@ allocation_failure: /* do not delete the src name external name format */ if (output_name) { - if (out_union->external_name) { - if (out_union->external_name->value) - free(out_union->external_name->value); - free(out_union->external_name); + if (out_union) + { + if (out_union->external_name) { + if (out_union->external_name->value) + free(out_union->external_name->value); + free(out_union->external_name); + } + if (out_union->name_type) + (void) gss_release_oid(minor_status, + &out_union->name_type); } - if (out_union->name_type) - (void) gss_release_oid(minor_status, - &out_union->name_type); dest_union = out_union; } else @@ -171,16 +174,18 @@ * applies for both src and dest which ever is being used for output */ - if (dest_union->mech_name) { - (void) gssint_release_internal_name(minor_status, + if (dest_union) + { + if (dest_union->mech_name) { + (void) gssint_release_internal_name(minor_status, dest_union->mech_type, &dest_union->mech_name); + } + + if (dest_union->mech_type) + (void) gss_release_oid(minor_status, &dest_union->mech_type); } - if (dest_union->mech_type) - (void) gss_release_oid(minor_status, &dest_union->mech_type); - - if (output_name) free(out_union);