Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 7 Dec 2001 17:07:03 -0500 (EST)
From:      "Alexander N. Kabaev" <ak03@gte.com>
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        assar@freebsd.org
Subject:   bin/32591: The memory block doubly freed in Heimdal Kerberos5
Message-ID:  <200112072207.fB7M73S67160@h132-197-179-27.gte.com>
next in thread | raw e-mail | index | archive | help 


>Number:         32591
>Category:       bin
>Synopsis:       The memory block doubly freed in Heimdal Kerberos5
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 07 14:30:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Alexander N. Kabaev
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD kanpc.gte.com 5.0-CURRENT FreeBSD 5.0-CURRENT #10: Wed Dec 5 13:23:00 EST 2001 root@kanpc.gte.com:/usr/src/sys/i386/compile/KANPC i386

>Description:
	The  /usr/src/crypto/heimdal/lib/krb5/keytab_any.c file contains the
	following code in function any_start_seq_get:
>How-To-Repeat:
	N/A
>Fix:

Index: /usr/src/crypto/heimdal/lib/krb5/keytab_any.c
===================================================================
RCS file: /usr/ncvs/src/crypto/heimdal/lib/krb5/keytab_any.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 keytab_any.c
--- /usr/src/crypto/heimdal/lib/krb5/keytab_any.c	21 Jun 2001 02:11:33 -0000	1.1.1.1
+++ /usr/src/crypto/heimdal/lib/krb5/keytab_any.c	7 Dec 2001 21:51:38 -0000
@@ -139,7 +139,6 @@
     ed->a = a;
     ret = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
     if (ret) {
-	free (ed);
 	free (c->data);
 	c->data = NULL;
 	krb5_set_error_string (context, "malloc: out of memory");
	


>Release-Note:
>Audit-Trail:
>Unformatted:
 >>>>>>>>>>
     ed = (struct any_cursor_extra_data *)c->data;
     ed->a = a;
     ret = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
     if (ret) {
 	free (ed);
         free (c->data);
         c->data = NULL;
 <<<<<<<<<<
 
 	The free(ed) statement is bogus, because in this case 
 	c->data == ed, and it is not a very good idea to free
 	the same memory block twice.
    	

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112072207.fB7M73S67160>