rra
commented
3 years ago Good catch, I agree. If krb5_cc_get_principal fails, the structure can be left in an invalid state that could result in a double free.
I suspect there's still something else going wrong for you because that krb5_cc_get_principal call should not be failing, so I think you'll still have problems, but regardless this is a bug that needs to be fixed.
Debugging into crash problem in my local cups server that has pam_krb5 in his pam configuration I found a problem in pam_krb5. Due to an not yet know issue the krb5_cc_get_principal call in https://github.com/rra/pam-krb5/blob/ad9e3fe86fe14537072fe1f3cf5c3564e27a90c1/module/account.c#L83 is failing. As the ctx->princ is freed just before this call but not reset to NULL, the member seem's to be left in an invalid state. In the error handling _pam_free_data is called from pam_end and tries to release ctx->princ again cause a crash. So I think the ctx->princ should be reset after the free in account.c above.
Regards Michael