Patch from Riverbed (Derrick Pallas) under the license of the files they are in:

Fix resource leak in heimdal/krb5/fcache/fcc_remove_cred
	In fcache, fcc_remove_cred generates a ccache called
	"newfile," which is not cleaned up if the final call
	(krb5_cc_move) fails.

Free of uninitialized value in fcache/fcc_move(...)
	If init_fcc fails to acquire a file handle, sp will be
	uninitialized. If this is the case, the call to
	krb5_storage_free will dereference this uninitialized value,
	which causes undefined behaviour.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24944 ec53bebd-3082-4978-b11e-865c3cabbd6b

diff --git a/lib/krb5/fcache.c b/lib/krb5/fcache.c
index 0d8e77ff913099c9f406cbc6f508363e8f2a1010..d34f041cf5a8a48319eb450bee3d70de9c3024e4 100644 (file)
--- a/lib/krb5/fcache.c
+++ b/lib/krb5/fcache.c
@@ -770,7 +770,13 @@ fcc_remove_cred(krb5_context context,
        return ret;
     }
 
-    return krb5_cc_move(context, newfile, id);
+    ret = krb5_cc_move(context, newfile, id);
+    if (ret) {
+       krb5_cc_destroy(context, newfile);
+       return ret;
+    }
+    
+    return ret;
 }
 
 static krb5_error_code
@@ -914,7 +920,8 @@ fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
        krb5_storage *sp;
        int fd;
        ret = init_fcc (context, to, &sp, &fd);
-       krb5_storage_free(sp);
+       if (sp)
+           krb5_storage_free(sp);
        fcc_unlock(context, fd);
        close(fd);
     }