| Subject: | potential null dereference in gss mechglue |
| Date: | Fri, 5 Nov 2010 19:07:03 -0400 |
| From: | "Arlene Berry" <aberry@likewise.com> |
| To: | <krb5-bugs@mit.edu> |
In src/lib/gssapi/mechglue/g_canon_name.c in gss_canonicalize_name in
the allocation_failure section out_union is dereferenced without first
checking whether it was allocated.
--- src/lib/gssapi/mechglue/g_canon_name.c (revision 52314)
+++ src/lib/gssapi/mechglue/g_canon_name.c (revision 52315)
@@ -153,14 +153,17 @@
allocation_failure:
/* do not delete the src name external name format */
if (output_name) {
- if (out_union->external_name) {
- if (out_union->external_name->value)
- free(out_union->external_name->value);
- free(out_union->external_name);
+ if (out_union)
+ {
+ if (out_union->external_name) {
+ if (out_union->external_name->value)
+
free(out_union->external_name->value);
+ free(out_union->external_name);
+ }
+ if (out_union->name_type)
+ (void) gss_release_oid(minor_status,
+ &out_union->name_type);
}
- if (out_union->name_type)
- (void) gss_release_oid(minor_status,
- &out_union->name_type);
dest_union = out_union;
} else
@@ -171,16 +174,18 @@
* applies for both src and dest which ever is being used for
output
*/
- if (dest_union->mech_name) {
- (void) gssint_release_internal_name(minor_status,
+ if (dest_union)
+ {
+ if (dest_union->mech_name) {
+ (void)
gssint_release_internal_name(minor_status,
dest_union->mech_type,
&dest_union->mech_name);
+ }
+
+ if (dest_union->mech_type)
+ (void) gss_release_oid(minor_status,
&dest_union->mech_type);
}
- if (dest_union->mech_type)
- (void) gss_release_oid(minor_status,
&dest_union->mech_type);
-
-
if (output_name)
free(out_union);
the allocation_failure section out_union is dereferenced without first
checking whether it was allocated.
--- src/lib/gssapi/mechglue/g_canon_name.c (revision 52314)
+++ src/lib/gssapi/mechglue/g_canon_name.c (revision 52315)
@@ -153,14 +153,17 @@
allocation_failure:
/* do not delete the src name external name format */
if (output_name) {
- if (out_union->external_name) {
- if (out_union->external_name->value)
- free(out_union->external_name->value);
- free(out_union->external_name);
+ if (out_union)
+ {
+ if (out_union->external_name) {
+ if (out_union->external_name->value)
+
free(out_union->external_name->value);
+ free(out_union->external_name);
+ }
+ if (out_union->name_type)
+ (void) gss_release_oid(minor_status,
+ &out_union->name_type);
}
- if (out_union->name_type)
- (void) gss_release_oid(minor_status,
- &out_union->name_type);
dest_union = out_union;
} else
@@ -171,16 +174,18 @@
* applies for both src and dest which ever is being used for
output
*/
- if (dest_union->mech_name) {
- (void) gssint_release_internal_name(minor_status,
+ if (dest_union)
+ {
+ if (dest_union->mech_name) {
+ (void)
gssint_release_internal_name(minor_status,
dest_union->mech_type,
&dest_union->mech_name);
+ }
+
+ if (dest_union->mech_type)
+ (void) gss_release_oid(minor_status,
&dest_union->mech_type);
}
- if (dest_union->mech_type)
- (void) gss_release_oid(minor_status,
&dest_union->mech_type);
-
-
if (output_name)
free(out_union);