Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Jun 2025 18:46:08 +0000
From:      Shawn Webb <shawn.webb@hardenedbsd.org>
To:        Cy Schubert <cy@freebsd.org>
Cc:        src-committers@freebsd.org, dev-commits-src-all@freebsd.org,  dev-commits-src-main@freebsd.org
Subject:   Re: git: 98f18cd98824 - main - pam_ksu: Move the realm free to end of function
Message-ID:  <xa4lcs4gbif33egxswse52pgxbceff2ouwnjnpvrf33qbzwlg6@pgdqmkx6yt6z>
In-Reply-To: <202506161842.55GIgf9M052877@gitrepo.freebsd.org>
References:  <202506161842.55GIgf9M052877@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Mon, Jun 16, 2025 at 06:42:41PM +0000, Cy Schubert wrote:
> The branch main has been updated by cy:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=98f18cd98824acdf1045e74615f2db0219019f0b
> 
> commit 98f18cd98824acdf1045e74615f2db0219019f0b
> Author:     Cy Schubert <cy@FreeBSD.org>
> AuthorDate: 2025-06-16 18:40:51 +0000
> Commit:     Cy Schubert <cy@FreeBSD.org>
> CommitDate: 2025-06-16 18:42:30 +0000
> 
>     pam_ksu: Move the realm free to end of function
>     
>     This avoids a use after free.
>     
>     Noted by:       jhb
> ---
>  lib/libpam/modules/pam_ksu/pam_ksu.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/libpam/modules/pam_ksu/pam_ksu.c b/lib/libpam/modules/pam_ksu/pam_ksu.c
> index a6b3f043d3f4..e50c3e387311 100644
> --- a/lib/libpam/modules/pam_ksu/pam_ksu.c
> +++ b/lib/libpam/modules/pam_ksu/pam_ksu.c
> @@ -85,8 +85,6 @@ krb5_make_principal(krb5_context context, krb5_principal principal,
>  		if ((rc = krb5_get_default_realm(context, &temp_realm)))
>  			return (rc);
>  		realm=temp_realm;
> -		if (temp_realm)
> -			free(temp_realm);
>  	}
>  	va_start(ap, realm);
>  	/*
> @@ -99,6 +97,8 @@ krb5_make_principal(krb5_context context, krb5_principal principal,
>  	 */
>  	rc = krb5_build_principal_va(context, principal, strlen(realm), realm, ap);
>  	va_end(ap);
> +	if (temp_realm)
> +		free(temp_realm);

Hey Cy,

I think the call to free can be made unconditional as it's safe to
call free on a NULL pointer (which turns into a no-op).

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Signal Username:  shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmhQZmoACgkQ/y5nonf4
4fot1A//aMbSqF+uPkE0tdAgXNNX4gsYJ53y/9vOnQYypjqxdLYzGEUanf66t4ob
UeVj6dpjYm3NeaLq9HREK49X9HGqVZmqEd7KyE9VrVkgYjf5u+onUTSKjcZbgJ4x
F0UIPctegUALxDXIjytImQZznxRqo0JLub99YXoSEPbmjmYrTdMwpO6zS3g3RDHg
izDpxEw0k0DA1X4xq1O9AY4gBMHaYZ1deSN8TVp9SnJZjWtLk0a/Ca7nmT0agY5Z
awcZX/xC1cmXWw/k0stYa/Lwh+byf3Q0JF1aQQjpg33QvIYTh5dmG36gWOsKDAoy
VSlB7FLKlZ9Vn4fEeOqEYTBWeySLI84iSzJUkqBPXzai8kgPmsFWJ8lYLEkW9tEL
bPkY39Jh1vV0xUxGbtbm9ElqYZWiYgtysmFAvj2Knn2CCyQ8dL2jq9yFpdg9I0M8
hZ3taoejDmgzA/++ouJ5ayFgMTjlSKG3ZreopvDTuL2NSAzOLI2vsVjwvMEmRoXz
yInrL0rG4znP1sxzLcfUQEpCtw7cKWs0I9vc4Q5pFlc2hvQcm3y81Yb92s6K5/Ig
Ivq0yzKeCJpUpOE/LQCll+DitpkAPpGaVXtIkHvI2yyhKvMxKsyH/+rkSt215sH0
TCTwy11G/r5VSRKdPqdSCt24JPQtclXvQF4LPVedsQ2p5gVk27M=
=I6Qk
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xa4lcs4gbif33egxswse52pgxbceff2ouwnjnpvrf33qbzwlg6>