From f15517b1846c4663d9b6258ef213550a8b8e471a Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 16 Mar 2011 00:15:49 +0000
Subject: [PATCH] KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003
 CVE-2011-0284]

pull up r24705 from trunk

 ------------------------------------------------------------------------
 r24705 | tlyu | 2011-03-15 17:47:19 -0400 (Tue, 15 Mar 2011) | 8 lines

 ticket: 6881
 subject: KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
 tags: pullup
 target_version: 1.9.1

 Fix a double-free condition in the KDC that can occur during an
 AS-REQ when PKINIT is enabled.

ticket: 6883
version_fixed: 1.7.2
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@24708 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kdc/do_as_req.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 680e6a192..8a69e11c5 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -783,6 +783,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int e
 		pad->contents = td[size]->data;
 		pad->length = td[size]->length;
 		pa[size] = pad;
+                    td[size]->data = NULL;
+                    td[size]->length = 0;
 	    }
 	    krb5_free_typed_data(kdc_context, td);
 	}
-- 
2.26.2