pull up r20477 from trunk
authorTom Yu <tlyu@mit.edu>
Mon, 14 Jul 2008 22:12:54 +0000 (22:12 +0000)
committerTom Yu <tlyu@mit.edu>
Mon, 14 Jul 2008 22:12:54 +0000 (22:12 +0000)
 r20477@cathode-dark-space:  raeburn | 2008-06-26 20:20:33 -0400
 ticket: new
 target_version: 1.6.4

 Fix possible null pointer deref, possible uninit ptr use, possible
 leak in unlikely small-allocation failure case.

ticket: 5994
version_fixed: 1.6.4

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20522 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/rpc/auth_gssapi.c

index 3d6e6fe6341efbd49c351e1675dc069d20894832..23f3349338a519a21dcc3fb6de99e0a9cd57ff2f 100644 (file)
@@ -164,6 +164,11 @@ AUTH *auth_gssapi_create(
      auth = (AUTH *) malloc(sizeof(*auth));
      pdata = (struct auth_gssapi_data *) malloc(sizeof(*pdata));
      if (auth == NULL || pdata == NULL) {
+         /* They needn't both have failed; clean up.  */
+         free(auth);
+         free(pdata);
+         auth = NULL;
+         pdata = NULL;
          rpc_createerr.cf_stat = RPC_SYSTEMERROR;
          rpc_createerr.cf_error.re_errno = ENOMEM;
          goto cleanup;
@@ -436,12 +441,14 @@ next_token:
      
 cleanup:
      PRINTF(("gssapi_create: bailing\n\n"));
-     
-     if (AUTH_PRIVATE(auth))
-         auth_gssapi_destroy(auth);
-     else if (auth)
-         free(auth);
-     auth = NULL;
+
+     if (auth) {
+        if (AUTH_PRIVATE(auth))
+            auth_gssapi_destroy(auth);
+        else
+            free(auth);
+        auth = NULL;
+     }
      
      /* don't assume the caller will want to change clnt->cl_auth */
      clnt->cl_auth = save_auth;