Fix possible null pointer deref, possible uninit ptr use, possible

leak in unlikely small-allocation failure case.

ticket: new
target_version: 1.6.4

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20477 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/rpc/auth_gssapi.c b/src/lib/rpc/auth_gssapi.c
index bd185bc899901767d47e6ea81fa4ba35c9fe6e1d..fa8ce4b1764cfa5cf7bbdca97d5d6db614daac97 100644 (file)
--- a/src/lib/rpc/auth_gssapi.c
+++ b/src/lib/rpc/auth_gssapi.c
@@ -165,6 +165,11 @@ AUTH *auth_gssapi_create(
      auth = (AUTH *) malloc(sizeof(*auth));
      pdata = (struct auth_gssapi_data *) malloc(sizeof(*pdata));
      if (auth == NULL || pdata == NULL) {
+         /* They needn't both have failed; clean up.  */
+         free(auth);
+         free(pdata);
+         auth = NULL;
+         pdata = NULL;
          rpc_createerr.cf_stat = RPC_SYSTEMERROR;
          rpc_createerr.cf_error.re_errno = ENOMEM;
          goto cleanup;
@@ -437,12 +442,14 @@ next_token:
      
 cleanup:
      PRINTF(("gssapi_create: bailing\n\n"));
-     
-     if (AUTH_PRIVATE(auth))
-         auth_gssapi_destroy(auth);
-     else if (auth)
-         free(auth);
-     auth = NULL;
+
+     if (auth) {
+        if (AUTH_PRIVATE(auth))
+            auth_gssapi_destroy(auth);
+        else
+            free(auth);
+        auth = NULL;
+     }
      
      /* don't assume the caller will want to change clnt->cl_auth */
      clnt->cl_auth = save_auth;