Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) From: ghudson@mit.edu Subject: git commit X-RT-Original-Encoding: iso-8859-1 Content-Length: 949 Don't free cred handle used in kadm5 server handle At the end of setup_gss(), gss_client_creds is released, but an alias to the credential handle is saved in kadm5_server_handle_t in handle->clnt->cl_auth->(struct rpc_gss_data *)ah_private->sec.cred. Accessing these credentials (by authgss_refresh) can result in use after free. This fix stores credential reference in server handle and releases the credentials in kadm5_destroy. [ghudson@mit.edu: initialize handle->cred to correct constant; get rid of gss_client_creds variable; clarify commit message slightly] https://github.com/krb5/krb5/commit/b24c362f0589a6212f2f544263bdb76e0988c582 Author: Tomas Kuthan Committer: Greg Hudson Commit: b24c362f0589a6212f2f544263bdb76e0988c582 Branch: master src/lib/kadm5/clnt/client_init.c | 13 ++++++------- src/lib/kadm5/clnt/client_internal.h | 1 + 2 files changed, 7 insertions(+), 7 deletions(-)