>From 17d1d7194505b4c047256e703a1d21fb009c36a6 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 8 Apr 2014 10:56:22 +0200
Subject: [PATCH] krb5_child: Fix use after free in debug message

debug_prg_name is used in debug_fn and it was allocated under
talloc context "kr". The variable "kr" was removed before the last debug
messages in function main. It is very little change that it will be overridden.
It is possible to see this issue with exported environment variable
TALLOC_FREE_FILL=255
---
 src/providers/krb5/krb5_child.c | 26 +++++++++++++++-----------
 src/providers/ldap/ldap_child.c |  1 +
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 22264e484d880c1527ec01e2d6c58c73c52cccd8..7c8403868eec3ac3f2ec51938ad870929dbdc279 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2000,14 +2000,9 @@ int main(int argc, const char *argv[])
 
     DEBUG_INIT(debug_level);
 
-    kr = talloc_zero(NULL, struct krb5_req);
-    if (kr == NULL) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
-        exit(-1);
-    }
-
-    debug_prg_name = talloc_asprintf(kr, "[sssd[krb5_child[%d]]]", getpid());
+    debug_prg_name = talloc_asprintf(NULL, "[sssd[krb5_child[%d]]]", getpid());
     if (!debug_prg_name) {
+        debug_prg_name = "[sssd[krb5_child]]";
         DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
         ret = ENOMEM;
         goto done;
@@ -2022,6 +2017,14 @@ int main(int argc, const char *argv[])
 
     DEBUG(SSSDBG_TRACE_FUNC, "krb5_child started.\n");
 
+    kr = talloc_zero(NULL, struct krb5_req);
+    if (kr == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
+        ret = ENOMEM;
+        goto done;
+    }
+    talloc_steal(kr, debug_prg_name);
+
     ret = k5c_recv_data(kr, STDIN_FILENO, &offline);
     if (ret != EOK) {
         goto done;
@@ -2080,13 +2083,14 @@ int main(int argc, const char *argv[])
     }
 
 done:
-    krb5_cleanup(kr);
-    talloc_free(kr);
     if (ret == EOK) {
         DEBUG(SSSDBG_TRACE_FUNC, "krb5_child completed successfully\n");
-        exit(0);
+        ret = 0;
     } else {
         DEBUG(SSSDBG_CRIT_FAILURE, "krb5_child failed!\n");
-        exit(-1);
+        ret = -1;
     }
+    krb5_cleanup(kr);
+    talloc_free(kr);
+    exit(ret);
 }
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 34f23ec80916210b29872caecf90c9855906ddf6..0e5e1614addedd293e93d0a33b3ed97f3ffa4c16 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -462,6 +462,7 @@ int main(int argc, const char *argv[])
 
     debug_prg_name = talloc_asprintf(NULL, "[sssd[ldap_child[%d]]]", getpid());
     if (!debug_prg_name) {
+        debug_prg_name = "[sssd[ldap_child]]";
         DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
         goto fail;
     }
-- 
1.9.0