fix MITKRB5-SA-2005-003 krb5_recvauth double-free

	* recvauth.c (recvauth_common): Avoid double-free on invalid
	version string.  Thanks to Magnus Hagander.  Fix for
	MITKRB5-SA-2005-003 [CAN-2005-1689, VU#623332].

ticket: new
target_version: 1.4.2
tags: pullup
component: krb5-libs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17299 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index ce0b970efa3521f9903c624ebd3d20fd023f9466..4128f0afb5337836f69dabe0c164ffb867a235f9 100644 (file)
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,5 +1,9 @@
 2005-07-12  Tom Yu  <tlyu@mit.edu>
 
+       * recvauth.c (recvauth_common): Avoid double-free on invalid
+       version string.  Thanks to Magnus Hagander.  Fix for
+       MITKRB5-SA-2005-003 [CAN-2005-1689, VU#623332].
+
        * unparse.c (krb5_unparse_name_ext): Account for zero-component
        principal, to avoid single-byte overflow.  Thanks to Daniel
        Wachdorf.  Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1175,

diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
index e69be67f0f2742bb1c945c3539a7146fd46c8688..92bcad7a9a522689519b2fe6fd14f5a477385dee 100644 (file)
--- a/src/lib/krb5/krb/recvauth.c
+++ b/src/lib/krb5/krb/recvauth.c
@@ -75,7 +75,6 @@ recvauth_common(krb5_context context,
            if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
            if (strcmp(inbuf.data, sendauth_version)) {
-               krb5_xfree(inbuf.data);
                problem = KRB5_SENDAUTH_BADAUTHVERS;
            }
            krb5_xfree(inbuf.data);
@@ -89,7 +88,6 @@ recvauth_common(krb5_context context,
        if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
        if (appl_version && strcmp(inbuf.data, appl_version)) {
-               krb5_xfree(inbuf.data);
                if (!problem)
                        problem = KRB5_SENDAUTH_BADAPPLVERS;
        }