From: Ben Kaduk <kaduk@mit.edu>
Date: Thu, 17 Jun 2010 04:27:51 +0000 (-0400)
Subject: Fix aklog segfault
X-Git-Tag: openafs-devel-1_5_75~107
X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=f8981f18dfdd5ae9efd03b9d247238dd83f46506;hp=196d2c7f9e3250008bf6aed2e172ec6d54e4ffb7

Fix aklog segfault

In auth_to_cell(), we only strdup() into the linkedcell argument
if there is a linkedCell in the current cellconf.  However, in
main(), we free linkedcell if it is non-NULL, but it is allocated
on the stack and could contain garbage.  free() chokes on such
garbage, causing aklog to abort().
If we copy nothing into linkedcell, set it to NULL so that we
do not attempt to free the bogus pointer.

Change-Id: I92905a5f17021ce1bc41909f5ceb1b0344456d93
Reviewed-on: http://gerrit.openafs.org/2213
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
---

diff --git a/src/aklog/aklog.c b/src/aklog/aklog.c
index 2408547..d3bb44c 100644
--- a/src/aklog/aklog.c
+++ b/src/aklog/aklog.c
@@ -968,11 +968,15 @@ auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell)
     if ((status = get_cellconfig(cell, &cellconf, &local_cell)))
 	return(status);
 
-    if (linkedcell != NULL && cellconf.linkedCell != NULL) {
-	*linkedcell = strdup(cellconf.linkedCell);
-	if (*linkedcell == NULL) {
-	    status = ENOMEM;
-	    goto out;
+    if (linkedcell != NULL) {
+	if (cellconf.linkedCell != NULL) {
+	    *linkedcell = strdup(cellconf.linkedCell);
+	    if (*linkedcell == NULL) {
+		status = ENOMEM;
+		goto out;
+	    }
+	} else {
+	    *linkedcell = NULL;
 	}
     }