>From c75b69e777a52520f9688a8926b9d6986c88c8cc Mon Sep 17 00:00:00 2001 From: Heikki Linnakangas Date: Thu, 1 Jun 2017 13:26:06 +0300 Subject: [PATCH 1/1] Fix double-free bug in GSS authentication. The logic to free the buffer after the gss_init_sec_context() call was always a bit wonky. Because gss_init_sec_context() sets the GSS context variable, conn->gctx, we would in fact always attempt to free the buffer. That only works, because previously conn->ginbuf.value was initialized to NULL, and free(NULL) is a no-op. Commit 61bf96cab0 refactored things so that the GSS input token buffer is allocated locally in pg_GSS_continue, and not held in the PGconn object. After that, the now-local ginbuf.value variable isn't initialized when it's not used, so we pass a bogus pointer to free(). To fix, only try to free the input buffer if we allocated it. That was the intention, certainly after the refactoring, and probably even before that. --- src/interfaces/libpq/fe-auth.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index f4397afc64..f30fb04809 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -133,6 +133,11 @@ pg_GSS_continue(PGconn *conn, int payloadlen) return STATUS_ERROR; } } + else + { + ginbuf.length = 0; + ginbuf.value = NULL; + } maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, @@ -142,13 +147,13 @@ pg_GSS_continue(PGconn *conn, int payloadlen) GSS_C_MUTUAL_FLAG, 0, GSS_C_NO_CHANNEL_BINDINGS, - (conn->gctx == GSS_C_NO_CONTEXT) ? GSS_C_NO_BUFFER : &ginbuf, + (ginbuf.value == NULL) ? GSS_C_NO_BUFFER : &ginbuf, NULL, &goutbuf, NULL, NULL); - if (conn->gctx != GSS_C_NO_CONTEXT) + if (ginbuf.value) free(ginbuf.value); if (goutbuf.length != 0) -- 2.11.0