From: Tom Yu <tlyu@mit.edu>
Date: Sat, 20 Jan 2007 00:20:40 +0000 (+0000)
Subject: pull up r19021 from trunk
X-Git-Tag: kfw-3.2.0-beta1~95
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=3d31544d6ed7f720ca138901fd932a1bbc77d029;p=krb5.git

pull up r19021 from trunk

 r19021@cathode-dark-space:  epeisach | 2006-12-30 01:05:12 -0500
 subject: memory leak if defective header present in gss_krb5int_unseal_token_v3
 ticket: new
 tags: pullup

 If after unsealing the message, the TOK_ID is not 05 04, free memory
 before returning a defective token error.



ticket: 5238
version_fixed: 1.6.1

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19073 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index c5628e2c2..d83ac8593 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -412,8 +412,10 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
 	    if (load_16_be(althdr) != 0x0504
 		|| althdr[2] != ptr[2]
 		|| althdr[3] != ptr[3]
-		|| memcmp(althdr+8, ptr+8, 8))
+		|| memcmp(althdr+8, ptr+8, 8)) {
+		free(plain.data);
 		goto defective;
+	    }
 	    message_buffer->value = plain.data;
 	    message_buffer->length = plain.length - ec - 16;
 	} else {