Fix aklog segfault

In auth_to_cell(), we only strdup() into the linkedcell argument
if there is a linkedCell in the current cellconf.  However, in
main(), we free linkedcell if it is non-NULL, but it is allocated
on the stack and could contain garbage.  free() chokes on such
garbage, causing aklog to abort().
If we copy nothing into linkedcell, set it to NULL so that we
do not attempt to free the bogus pointer.

Change-Id: I92905a5f17021ce1bc41909f5ceb1b0344456d93
Reviewed-on: http://gerrit.openafs.org/2213
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Derrick Brashear <shadow@dementia.org>

diff --git a/src/aklog/aklog.c b/src/aklog/aklog.c
index 240854778ef49915f08d3843029e4f338a79982a..d3bb44c3d0ec74a3438cc48b939ec82fbf075549 100644 (file)
--- a/src/aklog/aklog.c
+++ b/src/aklog/aklog.c
@@ -968,11 +968,15 @@ auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell)
     if ((status = get_cellconfig(cell, &cellconf, &local_cell)))
        return(status);
 
-    if (linkedcell != NULL && cellconf.linkedCell != NULL) {
-       *linkedcell = strdup(cellconf.linkedCell);
-       if (*linkedcell == NULL) {
-           status = ENOMEM;
-           goto out;
+    if (linkedcell != NULL) {
+       if (cellconf.linkedCell != NULL) {
+           *linkedcell = strdup(cellconf.linkedCell);
+           if (*linkedcell == NULL) {
+               status = ENOMEM;
+               goto out;
+           }
+       } else {
+           *linkedcell = NULL;
        }
     }