From: Tom Yu <tlyu@mit.edu>
Date: Mon, 14 Jul 2008 22:12:54 +0000 (+0000)
Subject: pull up r20477 from trunk
X-Git-Tag: kfw-3.2.3-alpha1~38
X-Git-Url: http://git.tremily.us/gitweb.cgi?a=commitdiff_plain;h=d5290c4bbaf0205ec23104e5145e6b1433c87b8f;p=krb5.git

pull up r20477 from trunk

 r20477@cathode-dark-space:  raeburn | 2008-06-26 20:20:33 -0400
 ticket: new
 target_version: 1.6.4

 Fix possible null pointer deref, possible uninit ptr use, possible
 leak in unlikely small-allocation failure case.

ticket: 5994
version_fixed: 1.6.4

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20522 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/rpc/auth_gssapi.c b/src/lib/rpc/auth_gssapi.c
index 3d6e6fe63..23f334933 100644
--- a/src/lib/rpc/auth_gssapi.c
+++ b/src/lib/rpc/auth_gssapi.c
@@ -164,6 +164,11 @@ AUTH *auth_gssapi_create(
      auth = (AUTH *) malloc(sizeof(*auth));
      pdata = (struct auth_gssapi_data *) malloc(sizeof(*pdata));
      if (auth == NULL || pdata == NULL) {
+	  /* They needn't both have failed; clean up.  */
+	  free(auth);
+	  free(pdata);
+	  auth = NULL;
+	  pdata = NULL;
 	  rpc_createerr.cf_stat = RPC_SYSTEMERROR;
 	  rpc_createerr.cf_error.re_errno = ENOMEM;
 	  goto cleanup;
@@ -436,12 +441,14 @@ next_token:
      
 cleanup:
      PRINTF(("gssapi_create: bailing\n\n"));
-     
-     if (AUTH_PRIVATE(auth))
-	  auth_gssapi_destroy(auth);
-     else if (auth)
-	  free(auth);
-     auth = NULL;
+
+     if (auth) {
+	 if (AUTH_PRIVATE(auth))
+	     auth_gssapi_destroy(auth);
+	 else
+	     free(auth);
+	 auth = NULL;
+     }
      
      /* don't assume the caller will want to change clnt->cl_auth */
      clnt->cl_auth = save_auth;