STABLE14-windows-afskfw-bluescreen-20070418

The afskfw library contains an unprotected call to krb5_free_context
which can result in krb5_free_context being called with a NULL pointer.
MIT's Kerberos libraries do not check that the pointer is non-NULL and
will attempt to use it as a valid pointer which will in turn result
in an invalid memory access error.

This library is used by afslogon.dll which is loaded by winlogon.exe.

If the krb5 profile is invalid, the krb5_init_context call will fail
to allocate a krb5_context structure which can then result in
krb5_free_context being called with a NULL pointer.

An unhandled exception within winlogon.exe will cause a blue screen event
on Windows 2000, XP and 2003.

(cherry picked from commit 85a23a70c783364e039f2a1b402ba718c1fc34a5)

diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c
index 7123c45123a9375ae519c0a216ec9d61400e6844..4a4a07e1c1fbb9d7001f090a055b5e98d2628025 100644 (file)
--- a/src/WINNT/afsd/afskfw.c
+++ b/src/WINNT/afsd/afskfw.c
@@ -1422,7 +1422,8 @@ KFW_AFS_destroy_tickets_for_cell(char * cell)
         }
         free(principals);
     }
-    pkrb5_free_context(ctx);
+    if (ctx)
+               pkrb5_free_context(ctx);
     return 0;
 }
 
@@ -1476,7 +1477,8 @@ KFW_AFS_destroy_tickets_for_principal(char * user)
         free(cells);
     }
 
-    pkrb5_free_context(ctx);
+    if (ctx)
+               pkrb5_free_context(ctx);
     return 0;
 }
 
@@ -1700,7 +1702,8 @@ KFW_AFS_renew_token_for_cell(char * cell)
         code = -1;      // we did not renew the tokens 
 
   cleanup:
-    pkrb5_free_context(ctx);
+    if (ctx) 
+               pkrb5_free_context(ctx);
     return (code ? FALSE : TRUE);
 
 }