From ff9c99b689855a646c371379d30a668dfd7a87a7 Mon Sep 17 00:00:00 2001

From: Julien Rische <jrische@redhat.com>

Date: Wed, 1 Feb 2023 15:57:26 +0100

Subject: [PATCH] Fix possible double-free during KDB creation

In krb5_dbe_def_encrypt_key_data(), when we free

key_data->key_data_contents[0], reset it to null so the caller doesn't

free it as well.

Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug

manifests as a double-free during KDB creation if master key

encryption fails.

[ghudson@mit.edu: edited commit message]

ticket: 9086 (new)

tags: pullup

target_version: 1.20-next

---

 src/lib/kdb/encrypt_key.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c

index dc612c810e..91debea533 100644

--- a/src/lib/kdb/encrypt_key.c

+++ b/src/lib/kdb/encrypt_key.c

@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context             context,

     if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,

                                  &plain, &cipher))) {

         free(key_data->key_data_contents[0]);

+        key_data->key_data_contents[0] = NULL;

         return retval;

     }

@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context             context,

                 key_data->key_data_contents[1] = malloc(keysalt->data.length);

                 if (key_data->key_data_contents[1] == NULL) {

                     free(key_data->key_data_contents[0]);

+                    key_data->key_data_contents[0] = NULL;

                     return ENOMEM;

                 }

                 memcpy(key_data->key_data_contents[1], keysalt->data.data,

-- 

2.39.1