From fb2573f4a39e63e6585ea6c17ef173a18e002bd0 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 8 Mar 2006 22:25:32 +0000
Subject: [PATCH] pull up r17578 from trunk

ticket: 3313
version_fixed: 1.4.4

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-4@17718 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/krb/ChangeLog    |  8 ++++++++
 src/lib/krb5/krb/gc_frm_kdc.c | 23 +++++++++++------------
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index b9c1f91ca..c90fe7004 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,11 @@
+2005-12-28  Tom Yu  <tlyu@mit.edu>
+
+	* gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Cause free_tgt and
+	free_otgt to track the states of tgt and otgt correctly, to avoid
+	a double-free condition which previously happened when this
+	function returned to krb5_get_credentials(), which proceeded to
+	free a previously freed TGT in the returned TGT list.
+
 2005-09-22  Tom Yu  <tlyu@mit.edu>
 
 	* mk_req_ext.c (krb5int_generate_and_save_subkey): Check for and
diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index 70ca55f4e..a4a0118f6 100644
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -230,15 +230,15 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 					      &tgtq.server)))
 		goto cleanup;
 
+	    if (free_otgt)
+		krb5_free_cred_contents(context, &otgt);
 	    otgt = tgt;
-	    free_otgt = 1;
+	    free_otgt = free_tgt;
 	    free_tgt = 0;
 
 	    retval = krb5_cc_retrieve_cred(context, ccache, retr_flags,
 					   &tgtq, &tgt);
 	    if (retval == 0) {
-	        krb5_free_cred_contents(context, &otgt);
-		free_otgt = 0;
 	        free_tgt = 1;
 		/* We are now done - proceed to got/finally have tgt */
 	    } else {
@@ -250,8 +250,8 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 		/* with current tgt.                              */
 		/* Copy back in case invalided */
 		tgt = otgt;
+		free_tgt = free_otgt;
 		free_otgt = 0;
-		free_tgt = 1;
 		if (!krb5_c_valid_enctype(tgt.keyblock.enctype)) {
 		    retval = KRB5_PROG_ETYPE_NOSUPP;
 		    goto cleanup;
@@ -304,16 +304,15 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 							  &tgtq.server)))
 			    goto cleanup;
 
+			if (free_otgt)
+			    krb5_free_cred_contents(context, &otgt);
 			otgt = tgt;
-			free_otgt = 1;
+			free_otgt = free_tgt;
 			free_tgt = 0;
 			retval = krb5_cc_retrieve_cred(context, ccache,
 							    retr_flags,
 							    &tgtq, &tgt);
 			if (retval == 0) {
-			    if (free_otgt)
-			      krb5_free_cred_contents(context, &otgt);
-			    free_otgt = 0;
 			    free_tgt = 1;
 			    /* Continues with 'got one as close as possible' */
 			} else {
@@ -324,8 +323,8 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 			    /* not in the cache so try and get one with our current tgt. */
   
 			    tgt = otgt;
+			    free_tgt = free_otgt;
 			    free_otgt = 0;
-			    free_tgt = 1;
 			    if (!krb5_c_valid_enctype(tgt.keyblock.enctype)) {
 				retval = KRB5_PROG_ETYPE_NOSUPP;
 				goto cleanup;
@@ -359,9 +358,9 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 			    krb5_free_creds(context, tgtr);
 			    tgtr = NULL;
 
-			    if (free_otgt) {
-				krb5_free_cred_contents(context, &otgt);
-				free_otgt = 0;
+			    if (free_tgt) {
+				krb5_free_cred_contents(context, &tgt);
+				free_tgt = 0;
 			    }
 	      
 			    tgt = *ret_tgts[ntgts++];
-- 
2.26.2