asn1: fix use-after-free in asn1_write

On talloc_realloc failure, asn1_write calls talloc_free on an asn1_data
pointer and then tries to immediately set the has_error flag on it.

Skip the free and just set the has_error flag.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Oct 14 16:54:35 CEST 2013 on sn-devel-104

diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index 70637a3e065c48d5063a95d22bea392559f35622..7e85d4b19a555e635db7e06cbb77add1e46349c2 100644 (file)
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -44,7 +44,6 @@ bool asn1_write(struct asn1_data *data, const void *p, int len)
                uint8_t *newp;
                newp = talloc_realloc(data, data->data, uint8_t, data->ofs+len);
                if (!newp) {
-                       asn1_free(data);
                        data->has_error = true;
                        return false;
                }