From: Tom Yu Date: Tue, 15 Mar 2011 21:47:19 +0000 (+0000) Subject: KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284] X-Git-Tag: krb5-1.10-alpha1~531 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=e1ce2955dbaf8fbbc52a9625a62bb3fc4e31215f;p=krb5.git KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284] Fix a double-free condition in the KDC that can occur during an AS-REQ when PKINIT is enabled. ticket: 6881 tags: pullup target_version: 1.9.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24705 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 283c97e2d..0cc21cec4 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -740,6 +740,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, pad->contents = td[size]->data; pad->length = td[size]->length; pa[size] = pad; + td[size]->data = NULL; + td[size]->length = 0; } krb5_free_typed_data(kdc_context, td); }