WuNOmKmp4e5kEKbX6aDZ/bMGDR4lpd86WFI8MtHOZmqcgoh6pROOED2mmV7mZWWMZh9j lQC379/x5rHwiEJUavgNbLPf8x4iCwA4nmcfT/faWqosTMM00SFe5Jxnzw3CnSlxnmRp NqNQ== X-Forwarded-Encrypted: i=1; AJvYcCWe6BiRYGXKs8nN5n/6zckJhHzBXW99mZ0nLBqk94kzLtUp5HoQgqrkFysAbioTgMYenGzNaEAB7bwgvSpQCGtZJG6G@freebsd.org X-Gm-Message-State: AOJu0Yz6bNLOoC2ac9ukUoiaYMZM5OFUPBUCOw6JLJC4WvW8TXMD31YY bJy/nbV4aAp9lAHFWQvvX24a5DpLIttc+k1QgJsPds1C4gcnU08UIJMZ1fbOo7YouT9wAqDB9P9 Y69qBLhk= X-Gm-Gg: ASbGncuBUttowXAma3eAeMivQdCJuFbblgZ6462/L6/c5OnQu/qv8S6lq+QLsJchzS3 1f5+88u3YO7Dat1TpP3kFhJ+c1EwI9c3CzjYYSl9sbSDIbrHnVcjPqViu9SKQSy0k+xjH3DrT+Y xWpi+fwDBWlfdEDJphnAU+POYVVjgMvStqY5r7irBh2uYMguzX0/hYfkKn5HfQdt64KX6505MO9 hjiRM/NzSPahqa/rToVuzw+/Zu9JoGP/PcPCnofNvAE065eab0BScqxzlpPTLJEEXQLVeSFLfDu lOIrYA/b8VhfrkbgJkPTPHkKAitF/+/JFuifp7xZC1wS X-Google-Smtp-Source: AGHT+IFStLPGyMq2rw2HLOWr9l8aYjEC/1NS1riofHILyRUUvnZZmvz9VlAaUQeEEHpZ8vVtrI7Z+w== X-Received: by 2002:a05:6e02:1fe7:b0:3dd:88da:e804 with SMTP id e9e14a558f8ab-3de07d1bb31mr127017115ab.18.1750099570054; Mon, 16 Jun 2025 11:46:10 -0700 (PDT) Received: from mutt-hbsd ([2001:470:4001:1::95]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-50149c85c1asm1841245173.111.2025.06.16.11.46.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Jun 2025 11:46:09 -0700 (PDT) Date: Mon, 16 Jun 2025 18:46:08 +0000 From: Shawn Webb To: Cy Schubert Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 98f18cd98824 - main - pam_ksu: Move the realm free to end of function Message-ID: X-Operating-System: FreeBSD mutt-hbsd 14.2-STABLE-HBSD FreeBSD 14.2-STABLE-HBSD HARDENEDBSD-14-STABLE amd64 X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <202506161842.55GIgf9M052877@gitrepo.freebsd.org> List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="jol37ovfjjuqkati" Content-Disposition: inline In-Reply-To: <202506161842.55GIgf9M052877@gitrepo.freebsd.org> X-Rspamd-Queue-Id: 4bLf946KK6z3RgF X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] --jol37ovfjjuqkati Content-Type: text/plain; protected-headers=v1; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: git: 98f18cd98824 - main - pam_ksu: Move the realm free to end of function MIME-Version: 1.0 On Mon, Jun 16, 2025 at 06:42:41PM +0000, Cy Schubert wrote: > The branch main has been updated by cy: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3D98f18cd98824acdf1045e74615= f2db0219019f0b >=20 > commit 98f18cd98824acdf1045e74615f2db0219019f0b > Author: Cy Schubert > AuthorDate: 2025-06-16 18:40:51 +0000 > Commit: Cy Schubert > CommitDate: 2025-06-16 18:42:30 +0000 >=20 > pam_ksu: Move the realm free to end of function > =20 > This avoids a use after free. > =20 > Noted by: jhb > --- > lib/libpam/modules/pam_ksu/pam_ksu.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/lib/libpam/modules/pam_ksu/pam_ksu.c b/lib/libpam/modules/pa= m_ksu/pam_ksu.c > index a6b3f043d3f4..e50c3e387311 100644 > --- a/lib/libpam/modules/pam_ksu/pam_ksu.c > +++ b/lib/libpam/modules/pam_ksu/pam_ksu.c > @@ -85,8 +85,6 @@ krb5_make_principal(krb5_context context, krb5_principa= l principal, > if ((rc =3D krb5_get_default_realm(context, &temp_realm))) > return (rc); > realm=3Dtemp_realm; > - if (temp_realm) > - free(temp_realm); > } > va_start(ap, realm); > /* > @@ -99,6 +97,8 @@ krb5_make_principal(krb5_context context, krb5_principa= l principal, > */ > rc =3D krb5_build_principal_va(context, principal, strlen(realm), realm= , ap); > va_end(ap); > + if (temp_realm) > + free(temp_realm); Hey Cy, I think the call to free can be made unconditional as it's safe to call free on a NULL pointer (which turns into a no-op). Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --jol37ovfjjuqkati Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmhQZmoACgkQ/y5nonf4 4fot1A//aMbSqF+uPkE0tdAgXNNX4gsYJ53y/9vOnQYypjqxdLYzGEUanf66t4ob UeVj6dpjYm3NeaLq9HREK49X9HGqVZmqEd7KyE9VrVkgYjf5u+onUTSKjcZbgJ4x F0UIPctegUALxDXIjytImQZznxRqo0JLub99YXoSEPbmjmYrTdMwpO6zS3g3RDHg izDpxEw0k0DA1X4xq1O9AY4gBMHaYZ1deSN8TVp9SnJZjWtLk0a/Ca7nmT0agY5Z awcZX/xC1cmXWw/k0stYa/Lwh+byf3Q0JF1aQQjpg33QvIYTh5dmG36gWOsKDAoy VSlB7FLKlZ9Vn4fEeOqEYTBWeySLI84iSzJUkqBPXzai8kgPmsFWJ8lYLEkW9tEL bPkY39Jh1vV0xUxGbtbm9ElqYZWiYgtysmFAvj2Knn2CCyQ8dL2jq9yFpdg9I0M8 hZ3taoejDmgzA/++ouJ5ayFgMTjlSKG3ZreopvDTuL2NSAzOLI2vsVjwvMEmRoXz yInrL0rG4znP1sxzLcfUQEpCtw7cKWs0I9vc4Q5pFlc2hvQcm3y81Yb92s6K5/Ig Ivq0yzKeCJpUpOE/LQCll+DitpkAPpGaVXtIkHvI2yyhKvMxKsyH/+rkSt215sH0 TCTwy11G/r5VSRKdPqdSCt24JPQtclXvQF4LPVedsQ2p5gVk27M= =I6Qk -----END PGP SIGNATURE----- --jol37ovfjjuqkati--