git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 966faef)
libcli/auth: avoid possible mem leak in read_negTokenInit()
authorStefan Metzmacher <metze@samba.org>
Mon, 5 Aug 2013 08:43:38 +0000 (10:43 +0200)
committerStefan Metzmacher <metze@samba.org>
Sat, 10 Aug 2013 07:19:04 +0000 (09:19 +0200)
Also add error checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/auth/spnego_parse.c patch | blob | history

diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
index 3bf7aeab6277c76576a9a6f75b6b5582f12b3177..2c73613e3b179f36c40247edce5735545af08186 100644 (file)
--- a/libcli/auth/spnego_parse.c
+++ b/libcli/auth/spnego_parse.c
@@ -46,13 +46,24 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
                        asn1_start_tag(asn1, ASN1_CONTEXT(0));
                        asn1_start_tag(asn1, ASN1_SEQUENCE(0));
 
-                       token->mechTypes = talloc(NULL, const char *);
+                       token->mechTypes = talloc(mem_ctx, const char *);
+                       if (token->mechTypes == NULL) {
+                               asn1->has_error = true;
+                               return false;
+                       }
                        for (i = 0; !asn1->has_error &&
                                     0 < asn1_tag_remaining(asn1); i++) {
                                char *oid;
-                               token->mechTypes = talloc_realloc(NULL,
-                                                                 token->mechTypes,
-                                                                 const char *, i+2);
+                               const char **p;
+                               p = talloc_realloc(mem_ctx,
+                                                  token->mechTypes,
+                                                  const char *, i+2);
+                               if (p == NULL) {
+                                       TALLOC_FREE(token->mechTypes);
+                                       asn1->has_error = true;
+                                       return false;
+                               }
+                               token->mechTypes = p;
                                asn1_read_OID(asn1, token->mechTypes, &oid);
                                token->mechTypes[i] = oid;
                        }
Work in progress branches