ehlo,
debug_prg_name is used in debug_fn and it was allocated under
talloc context "kr". The variable "kr" was removed before the last debug
messages in function main. It is very little change that it will be overridden.
It is possible to see this issue with exported environment variable
TALLOC_FREE_FILL=255
patch is attached.
LS
>From 6d2e0aa0988bdce7fcccf7963437f9c4fc892f51 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lsleb...@redhat.com>
Date: Thu, 20 Mar 2014 16:02:05 +0100
Subject: [PATCH] krb5_child: Fix use after free
debug_prg_name is used in debug_fn and it was allocated under
talloc context "kr". The variable "kr" was removed before the last debug
messages in function main. It is very little change that it will be overridden.
It is possible to see this issue with exported environment variable
TALLOC_FREE_FILL=255
---
src/providers/krb5/krb5_child.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index
1bff0e99b586e0b1a54a660320f91cdab275fbe1..2e1d9b2ed502cf23bcdd7ff3383256c7a6189d56
100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2030,13 +2030,14 @@ int main(int argc, const char *argv[])
}
done:
- krb5_cleanup(kr);
- talloc_free(kr);
if (ret == EOK) {
DEBUG(SSSDBG_TRACE_FUNC, "krb5_child completed successfully\n");
- exit(0);
+ ret = 0;
} else {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_child failed!\n");
- exit(-1);
+ ret = -1;
}
+ krb5_cleanup(kr);
+ talloc_free(kr);
+ exit(ret);
}
--
1.8.5.3
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
