pullup from trunk

ticket: 3121
version_fixed: 1.4.2

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-4@17301 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index f463e0debaf533ee27ee57682167b3131608a846..4c5fa02da04149c70195cb37a15cc0311de49e51 100644 (file)
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,5 +1,9 @@
 2005-07-12  Tom Yu  <tlyu@mit.edu>
 
+       * recvauth.c (recvauth_common): Avoid double-free on invalid
+       version string.  Thanks to Magnus Hagander.  Fix for
+       MITKRB5-SA-2005-003 [CAN-2005-1689, VU#623332].
+
        * unparse.c (krb5_unparse_name_ext): Account for zero-component
        principal, to avoid single-byte overflow.  Thanks to Daniel
        Wachdorf.  Part of fix for MITKRB5-SA-2005-002 [CAN-2005-1175,

diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
index 3b001c178f5c7779f64591d1462097dfe9ee55c5..c29ef827577e89865ec5305bc93e07c4607becc6 100644 (file)
--- a/src/lib/krb5/krb/recvauth.c
+++ b/src/lib/krb5/krb/recvauth.c
@@ -76,7 +76,6 @@ recvauth_common(krb5_context context,
            if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
            if (strcmp(inbuf.data, sendauth_version)) {
-               krb5_xfree(inbuf.data);
                problem = KRB5_SENDAUTH_BADAUTHVERS;
            }
            krb5_xfree(inbuf.data);
@@ -90,7 +89,6 @@ recvauth_common(krb5_context context,
        if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
        if (appl_version && strcmp(inbuf.data, appl_version)) {
-               krb5_xfree(inbuf.data);
                if (!problem)
                        problem = KRB5_SENDAUTH_BADAPPLVERS;
        }