From: Tom Yu <tlyu@mit.edu>
Date: Tue, 12 Jul 2005 21:00:39 +0000 (+0000)
Subject: pullup from trunk
X-Git-Tag: krb5-1.4.3-beta1~52
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=e5463001f166573fb0d64145c2f26f9a7a27a451;p=krb5.git

pullup from trunk

ticket: 3121
version_fixed: 1.4.2

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-4@17301 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index f463e0deb..4c5fa02da 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,5 +1,9 @@
 2005-07-12  Tom Yu  <tlyu@mit.edu>
 
+	* recvauth.c (recvauth_common): Avoid double-free on invalid
+	version string.  Thanks to Magnus Hagander.  Fix for
+	MITKRB5-SA-2005-003 [CAN-2005-1689, VU#623332].
+
 	* unparse.c (krb5_unparse_name_ext): Account for zero-component
 	principal, to avoid single-byte overflow.  Thanks to Daniel
 	Wachdorf.  Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1175,
diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
index 3b001c178..c29ef8275 100644
--- a/src/lib/krb5/krb/recvauth.c
+++ b/src/lib/krb5/krb/recvauth.c
@@ -76,7 +76,6 @@ recvauth_common(krb5_context context,
 	    if ((retval = krb5_read_message(context, fd, &inbuf)))
 		return(retval);
 	    if (strcmp(inbuf.data, sendauth_version)) {
-		krb5_xfree(inbuf.data);
 		problem = KRB5_SENDAUTH_BADAUTHVERS;
 	    }
 	    krb5_xfree(inbuf.data);
@@ -90,7 +89,6 @@ recvauth_common(krb5_context context,
 	if ((retval = krb5_read_message(context, fd, &inbuf)))
 		return(retval);
 	if (appl_version && strcmp(inbuf.data, appl_version)) {
-		krb5_xfree(inbuf.data);
 		if (!problem)
 			problem = KRB5_SENDAUTH_BADAPPLVERS;
 	}