From babf3f6cbb1c508e66e4431527e55be8d02eeac8 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Thu, 9 Jul 2009 01:59:03 +0000 Subject: [PATCH] pull up r20485 from trunk ------------------------------------------------------------------------ r20485 | raeburn | 2008-06-26 23:33:14 -0400 (Thu, 26 Jun 2008) | 8 lines ticket: new target_version: 1.6.4 tags: pullup subject: use-after-free bugs Fix some bugs with storage being used immediately after being freed. None look like anything an attacker can really manipulate AFAICT. ticket: 5998 version_fixed: 1.6.4 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22427 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/server/server_stubs.c | 2 +- src/kdc/network.c | 2 -- src/lib/krb5/krb/mk_cred.c | 2 +- src/slave/kprop.c | 4 ++-- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index f09154045..843dd7576 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -1628,7 +1628,7 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) } if (ret.code != 0) - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + errmsg = krb5_get_error_message(NULL, ret.code); else errmsg = "success"; diff --git a/src/kdc/network.c b/src/kdc/network.c index 3bf18786c..5c25eb727 100644 --- a/src/kdc/network.c +++ b/src/kdc/network.c @@ -775,10 +775,8 @@ static void process_packet(struct connection *conn, const char *prog, return; } if (cc != response->length) { - krb5_free_data(kdc_context, response); com_err(prog, 0, "short reply write %d vs %d\n", response->length, cc); - return; } krb5_free_data(kdc_context, response); return; diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 04248c08d..ba3cc3a6b 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -176,8 +176,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds * if ((pcred->tickets = (krb5_ticket **)malloc(sizeof(krb5_ticket *) * (ncred + 1))) == NULL) { - retval = ENOMEM; free(pcred); + return ENOMEM; } memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1)); diff --git a/src/slave/kprop.c b/src/slave/kprop.c index b2ea2c2b3..42bc8fbda 100644 --- a/src/slave/kprop.c +++ b/src/slave/kprop.c @@ -1,7 +1,7 @@ /* * slave/kprop.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2008 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -505,12 +505,12 @@ open_database(context, data_fn, size) free(data_ok_fn); exit(1); } - free(data_ok_fn); if (stbuf.st_mtime > stbuf_ok.st_mtime) { com_err(progname, 0, "'%s' more recent than '%s'.", data_fn, data_ok_fn); exit(1); } + free(data_ok_fn); *size = stbuf.st_size; return(fd); } -- 2.26.2