Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 3D0D93E696; Sun, 7 Nov 2010 10:30:49 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id oA7FUnI7030132; Sun, 7 Nov 2010 10:30:49 -0500 Received: from mailhub-dmz-3.mit.edu (MAILHUB-DMZ-3.MIT.EDU [18.9.21.42]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id oA5N7ZcC028969 for ; Fri, 5 Nov 2010 19:07:35 -0400 Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU [18.7.68.34]) by mailhub-dmz-3.mit.edu (8.13.8/8.9.2) with ESMTP id oA5N7VbX011738 for ; Fri, 5 Nov 2010 19:07:34 -0400 X-Auditid: 12074422-b7c3eae000000a70-4f-4cd48e36102b Received: from sh5.exchange.ms ( [64.71.238.86]) by dmz-mailsec-scanner-5.mit.edu (Symantec Brightmail Gateway) with SMTP id E0.FA.02672.63E84DC4; Fri, 5 Nov 2010 19:07:34 -0400 (EDT) Received: from outbound.mse3.exchange.ms (unknown [10.0.25.203]) by sh5.exchange.ms (Postfix) with ESMTP id 81DAD1A361 for ; Fri, 5 Nov 2010 19:08:16 -0400 (EDT) X-Mimeole: Produced By Microsoft Exchange V6.5 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: potential null dereference in gss mechglue Date: Fri, 5 Nov 2010 19:07:03 -0400 Message-ID: <23447137FA0DAA4D95EF535FF356BE46057A8EC0@mse3be2.mse3.exchange.ms> X-MS-Has-Attach: X-MS-Tnef-Correlator: Thread-Topic: potential null dereference in gss mechglue Thread-Index: Act9Piiw0slRseWsQEaIzpAW0GOhXg== From: "Arlene Berry" To: X-Brightmail-Tracker: AAAAARaQ1n0= Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id oA5N7ZcC028969 X-Mailman-Approved-At: Sun, 07 Nov 2010 10:30:46 -0500 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: us-ascii Content-Length: 1615 In src/lib/gssapi/mechglue/g_canon_name.c in gss_canonicalize_name in the allocation_failure section out_union is dereferenced without first checking whether it was allocated. --- src/lib/gssapi/mechglue/g_canon_name.c (revision 52314) +++ src/lib/gssapi/mechglue/g_canon_name.c (revision 52315) @@ -153,14 +153,17 @@ allocation_failure: /* do not delete the src name external name format */ if (output_name) { - if (out_union->external_name) { - if (out_union->external_name->value) - free(out_union->external_name->value); - free(out_union->external_name); + if (out_union) + { + if (out_union->external_name) { + if (out_union->external_name->value) + free(out_union->external_name->value); + free(out_union->external_name); + } + if (out_union->name_type) + (void) gss_release_oid(minor_status, + &out_union->name_type); } - if (out_union->name_type) - (void) gss_release_oid(minor_status, - &out_union->name_type); dest_union = out_union; } else @@ -171,16 +174,18 @@ * applies for both src and dest which ever is being used for output */ - if (dest_union->mech_name) { - (void) gssint_release_internal_name(minor_status, + if (dest_union) + { + if (dest_union->mech_name) { + (void) gssint_release_internal_name(minor_status, dest_union->mech_type, &dest_union->mech_name); + } + + if (dest_union->mech_type) + (void) gss_release_oid(minor_status, &dest_union->mech_type); } - if (dest_union->mech_type) - (void) gss_release_oid(minor_status, &dest_union->mech_type); - - if (output_name) free(out_union);