KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
authorTom Yu <tlyu@mit.edu>
Tue, 15 Mar 2011 21:47:19 +0000 (21:47 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 15 Mar 2011 21:47:19 +0000 (21:47 +0000)
Fix a double-free condition in the KDC that can occur during an
AS-REQ when PKINIT is enabled.

ticket: 6881
tags: pullup
target_version: 1.9.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24705 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/do_as_req.c

index 283c97e2dca9ac17df834ef61ed5b60deca4dcb5..0cc21cec49c65e8bcfe0c4fe3a5f5859985deb99 100644 (file)
@@ -740,6 +740,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
                     pad->contents = td[size]->data;
                     pad->length = td[size]->length;
                     pa[size] = pad;
+                    td[size]->data = NULL;
+                    td[size]->length = 0;
                 }
             krb5_free_typed_data(kdc_context, td);
         }