Use of pointer after free in ipa-join

In some cases recently freed memory was used/freed again. This patch introduces more consistency between functions join_ldap/join_krb5 when dealing with affected variables. https://fedorahosted.org/freeipa/ticket/709
2024-12-23 07:33:27 -06:00 · 2011-01-07 15:17:59 +01:00 · 2011-01-07 15:17:59 +01:00 · 6503813608
commit 6503813608
parent 380fed3bb1
1 changed files with 10 additions and 4 deletions
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@ -373,6 +373,8 @@ join_ldap(const char *ipaserver, char *hostname, const char ** binddn, const cha
    int has_principal = 0;

    *binddn = NULL;
+    *princ = NULL;
+    *subject = NULL;

    if (get_root_dn(ipaserver, &ldap_base) != 0) {
        if (!quiet)
@ -482,7 +484,7 @@ ldap_done:
    free(filter);
    free(search_base);
    free(ldap_base);
-    free((void *)*subject);
+
    if (ld != NULL) {
        ldap_unbind_ext(ld, NULL, NULL);
    }
@ -511,6 +513,10 @@ join_krb5(const char *ipaserver, char *hostname, const char **hostdn, const char
    char * url = NULL;
    int rval = 0;

+    *hostdn = NULL;
+    *subject = NULL;
+    *princ = NULL;
+
    /* Start up our XML-RPC client library. */
    xmlrpc_client_init(XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION);

@ -614,8 +620,6 @@ cleanup:

 cleanup_xmlrpc:
    free(url);
-//    free((char *)princ);
-//    free((char *)hostdn);
    free((char *)krblastpwdchange);
    xmlrpc_env_clean(&env);
    xmlrpc_client_cleanup();
@ -940,15 +944,17 @@ join(const char *server, const char *hostname, const char *bindpw, const char *k
    }

 cleanup:
-    if (NULL != subject)
+    if (NULL != subject && !quiet)
        fprintf(stderr, _("Certificate subject base is: %s\n"), subject);

    free((char *)princ);
    free((char *)subject);
+
    if (bindpw)
        ldap_memfree((void *)hostdn);
    else
        free((char *)hostdn);
+
    free((char *)ipaserver);
    free((char *)iparealm);
    if (uprinc) krb5_free_principal(krbctx, uprinc);