From: | Robbie Harwood <rharwood@redhat.com> |
To: | krb5-bugs@mit.edu |
Subject: | Incorrect error handling in OTP plugin |
Date: | Thu, 21 Jun 2018 14:08:30 -0400 |
In otp_state.c:callback(), if we did not receive an accept packet, but
were not out of tokens, we invoke request_send() and then fall through
to the error case. This results in two things happening:
- First, we yield a failure. If request_send() succeeded, then we
erroneously report failure. But if request_send() has failed, we
report the failure again, and request_send() has already freed the
request object (making this a use-after-free).
- Second, we call request_free(). However, since request_send()
may have already freed the request, this is a double-free.
Thanks,
--Robbie
were not out of tokens, we invoke request_send() and then fall through
to the error case. This results in two things happening:
- First, we yield a failure. If request_send() succeeded, then we
erroneously report failure. But if request_send() has failed, we
report the failure again, and request_send() has already freed the
request object (making this a use-after-free).
- Second, we call request_free(). However, since request_send()
may have already freed the request, this is a double-free.
Thanks,
--Robbie
Message body not shown because it is not plain text.