Site Navigation

Date:      Mon, 16 Jun 2025 18:46:08 +0000
From:      Shawn Webb <shawn.webb@hardenedbsd.org>
To:        Cy Schubert <cy@freebsd.org>
Cc:        src-committers@freebsd.org, dev-commits-src-all@freebsd.org,  dev-commits-src-main@freebsd.org
Subject:   Re: git: 98f18cd98824 - main - pam_ksu: Move the realm free to end of function
Message-ID:  <xa4lcs4gbif33egxswse52pgxbceff2ouwnjnpvrf33qbzwlg6@pgdqmkx6yt6z>
In-Reply-To: <202506161842.55GIgf9M052877@gitrepo.freebsd.org>
References:  <202506161842.55GIgf9M052877@gitrepo.freebsd.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--jol37ovfjjuqkati
Content-Type: text/plain; protected-headers=v1; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: Re: git: 98f18cd98824 - main - pam_ksu: Move the realm free to end
 of function
MIME-Version: 1.0

On Mon, Jun 16, 2025 at 06:42:41PM +0000, Cy Schubert wrote:
> The branch main has been updated by cy:
>=20
> URL: https://cgit.FreeBSD.org/src/commit/?id=3D98f18cd98824acdf1045e74615=
f2db0219019f0b
>=20
> commit 98f18cd98824acdf1045e74615f2db0219019f0b
> Author:     Cy Schubert <cy@FreeBSD.org>
> AuthorDate: 2025-06-16 18:40:51 +0000
> Commit:     Cy Schubert <cy@FreeBSD.org>
> CommitDate: 2025-06-16 18:42:30 +0000
>=20
>     pam_ksu: Move the realm free to end of function
>    =20
>     This avoids a use after free.
>    =20
>     Noted by:       jhb
> ---
>  lib/libpam/modules/pam_ksu/pam_ksu.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>=20
> diff --git a/lib/libpam/modules/pam_ksu/pam_ksu.c b/lib/libpam/modules/pa=
m_ksu/pam_ksu.c
> index a6b3f043d3f4..e50c3e387311 100644
> --- a/lib/libpam/modules/pam_ksu/pam_ksu.c
> +++ b/lib/libpam/modules/pam_ksu/pam_ksu.c
> @@ -85,8 +85,6 @@ krb5_make_principal(krb5_context context, krb5_principa=
l principal,
>  		if ((rc =3D krb5_get_default_realm(context, &temp_realm)))
>  			return (rc);
>  		realm=3Dtemp_realm;
> -		if (temp_realm)
> -			free(temp_realm);
>  	}
>  	va_start(ap, realm);
>  	/*
> @@ -99,6 +97,8 @@ krb5_make_principal(krb5_context context, krb5_principa=
l principal,
>  	 */
>  	rc =3D krb5_build_principal_va(context, principal, strlen(realm), realm=
, ap);
>  	va_end(ap);
> +	if (temp_realm)
> +		free(temp_realm);

Hey Cy,

I think the call to free can be made unconditional as it's safe to
call free on a NULL pointer (which turns into a no-op).

Thanks,

--=20
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Signal Username:  shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A=
4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

--jol37ovfjjuqkati
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmhQZmoACgkQ/y5nonf4
4fot1A//aMbSqF+uPkE0tdAgXNNX4gsYJ53y/9vOnQYypjqxdLYzGEUanf66t4ob
UeVj6dpjYm3NeaLq9HREK49X9HGqVZmqEd7KyE9VrVkgYjf5u+onUTSKjcZbgJ4x
F0UIPctegUALxDXIjytImQZznxRqo0JLub99YXoSEPbmjmYrTdMwpO6zS3g3RDHg
izDpxEw0k0DA1X4xq1O9AY4gBMHaYZ1deSN8TVp9SnJZjWtLk0a/Ca7nmT0agY5Z
awcZX/xC1cmXWw/k0stYa/Lwh+byf3Q0JF1aQQjpg33QvIYTh5dmG36gWOsKDAoy
VSlB7FLKlZ9Vn4fEeOqEYTBWeySLI84iSzJUkqBPXzai8kgPmsFWJ8lYLEkW9tEL
bPkY39Jh1vV0xUxGbtbm9ElqYZWiYgtysmFAvj2Knn2CCyQ8dL2jq9yFpdg9I0M8
hZ3taoejDmgzA/++ouJ5ayFgMTjlSKG3ZreopvDTuL2NSAzOLI2vsVjwvMEmRoXz
yInrL0rG4znP1sxzLcfUQEpCtw7cKWs0I9vc4Q5pFlc2hvQcm3y81Yb92s6K5/Ig
Ivq0yzKeCJpUpOE/LQCll+DitpkAPpGaVXtIkHvI2yyhKvMxKsyH/+rkSt215sH0
TCTwy11G/r5VSRKdPqdSCt24JPQtclXvQF4LPVedsQ2p5gVk27M=
=I6Qk
-----END PGP SIGNATURE-----

--jol37ovfjjuqkati--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xa4lcs4gbif33egxswse52pgxbceff2ouwnjnpvrf33qbzwlg6>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact