kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
back-port r24878 for 1.7-branch
------------------------------------------------------------------------
r24878 | tlyu | 2011-04-13 14:43:37 -0400 (Wed, 13 Apr 2011) | 11 lines
ticket: 6899
tags: pullup
target_version: 1.9.1
Fix the sole case in process_chpw_request() where a return could occur
without allocating the data pointer in the response. This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().
Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.
ticket: 6901
status: resolved
version_fixed: 1.7.2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@24881
dc483132-0cff-0310-8789-
dd5450dbe970
projects / krb5.git / commit