Skip Menu |
 

Subject: krb5_verify_init_creds frees its input argument
Commit caf1fdd98690019d9ac9f56125f4916cfbdfd2d4 introduced a bug in
krb5_verify_init_creds that causes it to unconditionally free the
caller-provided server krb5_principal argument.

The previous code contained this branch to preserve the input argument:

- if (server_arg) {
- ret = krb5_copy_principal(context, server_arg, &server);
- if (ret)
- goto cleanup;

so that server could later be unconditionally freed. This
krb5_copy_principal was dropped by the refactoring. This results in a
double-free for callers, like pam-krb5, that expect to be responsible
for freeing the krb5_principal that they're passing in.
From: ghudson@mit.edu
Subject: SVN Commit

Don't free caller's principal in vfy_increds

#7125 took out the copy of the krb5_verify_init_creds server argument
but left in the corresponding free, so it was freeing a caller-owned
principal. Reported by Russ Allbery.

https://github.com/krb5/krb5/commit/dd64191e02df0a13b29345e4c50fe03e039dc207
Author: Greg Hudson <ghudson@mit.edu>
Commit: dd64191e02df0a13b29345e4c50fe03e039dc207
Branch: master
src/lib/krb5/krb/vfy_increds.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)