autofs-5.0.1 - fix double free in do_sasl_bind() From: Ian Kent <raven@themaw.net> In do_sasl_bind() the connection negotiation loop can exit with the local variable server_cred non-null after it has been freed, leading to a double free. --- modules/cyrus-sasl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- autofs-5.0.1.orig/modules/cyrus-sasl.c +++ autofs-5.0.1/modules/cyrus-sasl.c @@ -349,8 +349,10 @@ do_sasl_bind(unsigned logopt, LDAP *ld, } } - if (server_cred && server_cred->bv_len > 0) + if (server_cred && server_cred->bv_len > 0) { ber_bvfree(server_cred); + server_cred = NULL; + } } while ((bind_result == LDAP_SASL_BIND_IN_PROGRESS) || (sasl_result == SASL_CONTINUE));