<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hi, <div>I have recently encountered a segfault while using psql (PostgreSQL client, version 13) on macos. psql uses krb5-1.21.2 internally and as I started exploring the problem I obtained the following callstack that led to a segfault:</div><div><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-stretch: normal; line-height: normal; font-family: "Helvetica Neue"; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal;">0 libkrb5.3.3.dylib<span class="Apple-tab-span" style="white-space:pre"> </span>0<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">x10471ec18 krb5_free_principal + 20</span></p>
<p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-stretch: normal; line-height: normal; font-family: "Helvetica Neue"; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal;">1 libkrb5.3.3.dylib<span class="Apple-tab-span" style="white-space:pre"> </span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">0x104701ad0 krb5_cccol_have_content + 188</span></p>
<p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-stretch: normal; line-height: normal; font-family: "Helvetica Neue"; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal;">2 libgssapi_krb5.2.2.dylib<span class="Apple-tab-span" style="white-space:pre"> </span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">0x104531894 acquire_cred_context + 1664</span></p>
<p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-stretch: normal; line-height: normal; font-family: "Helvetica Neue"; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal;">3 libgssapi_krb5.2.2.dylib<span class="Apple-tab-span" style="white-space:pre"> </span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">0x10453119c acquire_cred_from + 688</span></p>
<p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-stretch: normal; line-height: normal; font-family: "Helvetica Neue"; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal;">4 libgssapi_krb5.2.2.dylib<span class="Apple-tab-span" style="white-space:pre"> </span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">0x104523180 gss_add_cred_from + 624</span></p></div><div><br></div><div>So it seems to me that the problem is in krb5 library. I looked at the source code and the problem seems obvious to me, but I might be missing something here. I have attached a patch to fix it, and here’s my understanding of what’s going on there: inside the krb5_cccol_have_content the princ variable may stay uninitialized even after a call to krb5_cc_get_principal, so krb5_free_principal will try to free a garbage pointer or it might try to do a double free if princ was assigned and freed on a previous loop iteration. Setting princ to NULL at the beginning of each loop seems enough to me, because <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">krb5_free_principal has checks for NULL.</span></div><div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br></span></div><div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">Regards,</span></div><div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">Ilya</span></div><div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br></span></div><div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">P.S. you might want to update the url to access the repository on the website </span><a href="https://kerberos.org/dist/testing.html#git">https://kerberos.org/dist/testing.html#git</a> as github no longer supports git:// protocol links.</div><div></div></body></html>