[krbdev.mit.edu #2586] [Doug Mitchell] memory smasher

Sam Hartman via RT rt-comment at krbdev.mit.edu
Fri Jun 4 16:44:54 EDT 2004 

Return-Path: <dmitch at apple.com>
Received: from solipsist-nation ([unix socket])
	by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP;
	Fri, 04 Jun 2004 15:05:02 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <dmitch at apple.com>
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
 [18.7.21.83])
	by suchdamage.org (Postfix) with ESMTP id 88C7913809
	for <hartmans at suchdamage.org>; Fri,  4 Jun 2004 15:05:01 -0400 (EDT)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22])
	by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
 i54J4sOJ027695
	for <hartmans at mit.edu>; Fri, 4 Jun 2004 15:04:55 -0400 (EDT)
Received: from mailgate1.apple.com (a17-128-100-225.apple.com
 [17.128.100.225])
	by mail-out3.apple.com (8.12.11/8.12.11) with ESMTP id i54J4s5L000263
	for <hartmans at mit.edu>; Fri, 4 Jun 2004 12:04:54 -0700 (PDT)
Received: from relay4.apple.com (relay4.apple.com) by mailgate1.apple.com
 (Content Technologies SMTPRS 4.3.6) with ESMTP id
 <T69fbf4dc38118064e1304 at mailgate1.apple.com> for <hartmans at mit.edu>;
 Fri, 4 Jun 2004 12:04:54 -0700
Received: from [10.0.61.5] (hwvpn-t.apple.com [17.219.28.6])
	by relay4.apple.com (8.12.11/8.12.11) with ESMTP id i54J4q3x023114;
	Fri, 4 Jun 2004 12:04:52 -0700 (PDT)
Message-Id: <0E727712-B65A-11D8-9618-0003933F311A at apple.com>
Cc: Doug Mitchell <dmitch at apple.com>
From: Doug Mitchell <dmitch at apple.com>
Subject: memory smasher
Date: Fri, 4 Jun 2004 12:04:51 -0700
To: Sam Hartman <hartmans at mit.edu>
X-Mailer: Apple Mail (2.659.1)
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
	solipsist-nation.suchdamage.org
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
	version=2.63
X-Spam-Level: 
MIME-Version: 1.0

Are you interested in bug reports outside of the area of PKINIT? I  
found a memory smasher in krb5_unparse_name_ext() in which the optional  
size pointer argument is sometimes dereferenced. Actually as far as I  
can tell the only way this function is ever called is from the  
krb5_unparse_name() function which passes in a NULL for the size  
argument. Diffs follow.

--dpm


Index: unparse.c
===================================================================
RCS file:  
/cvs/root/Kerberos/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/ 
unparse.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 unparse.c
--- unparse.c   2004/04/08 19:59:22     1.1.1.1
+++ unparse.c   2004/06/04 19:03:27
@@ -99,7 +99,7 @@
          * We need only n-1 seperators for n components, but we need
          * an extra byte for the NULL at the end.
          */
-       if (*name) {
+       if (*name && size) {
                 if (*size < (totalsize)) {
                         *size = totalsize;
                         *name = realloc(*name, totalsize);

More information about the krb5-bugs mailing list