[krbdev.mit.edu #2881] Crash on exit in mitkfw 2.6.5 after krb5_copy_cred call in cc_mslsa.c

Jeffrey Altman via RT rt-comment at krbdev.mit.edu
Fri Jan 14 22:13:35 EST 2005 

Andrei:

Please try the following patches:

Index: copy_princ.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/copy_princ.c,v
retrieving revision 5.24
diff -u -w -r5.24 copy_princ.c
--- copy_princ.c        3 Sep 2002 01:13:45 -0000       5.24
+++ copy_princ.c        15 Jan 2005 03:11:37 -0000
@@ -60,31 +60,35 @@
     for (i = 0; i < nelems; i++) {
        unsigned int len = krb5_princ_component(context, inprinc,
i)->length;
        krb5_princ_component(context, tempprinc, i)->length = len;
+        if (len) {
        if (((krb5_princ_component(context, tempprinc, i)->data =
-             malloc(len)) == 0) && len) {
+                   malloc(len)) == 0)) {
            while (--i >= 0)
                free(krb5_princ_component(context, tempprinc, i)->data);
            free (tempprinc->data);
            free (tempprinc);
            return ENOMEM;
        }
-       if (len)
            memcpy(krb5_princ_component(context, tempprinc, i)->data,
                   krb5_princ_component(context, inprinc, i)->data, len);
+        } else
+            krb5_princ_component(context, tempprinc, i)->data = 0;
     }

+    if (tempprinc->realm.length) {
     tempprinc->realm.data =
            malloc(tempprinc->realm.length = inprinc->realm.length);
-    if (!tempprinc->realm.data && tempprinc->realm.length) {
+        if (!tempprinc->realm.data) {
            for (i = 0; i < nelems; i++)
                    free(krb5_princ_component(context, tempprinc, i)->data);
            free(tempprinc->data);
            free(tempprinc);
            return ENOMEM;
     }
-    if (tempprinc->realm.length)
        memcpy(tempprinc->realm.data, inprinc->realm.data,
               inprinc->realm.length);
+    } else
+        tempprinc->realm.data = 0;

     *outprinc = tempprinc;
     return 0;

Index: cp_key_cnt.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/cp_key_cnt.c,v
retrieving revision 5.12
diff -u -w -r5.12 cp_key_cnt.c
--- cp_key_cnt.c        3 Sep 2002 01:13:45 -0000       5.12
+++ cp_key_cnt.c        15 Jan 2005 03:11:37 -0000
@@ -36,9 +36,12 @@
 krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock
*from, krb5_keyblock *to)
 {
     *to = *from;
+    if (to->length) {
     to->contents = (krb5_octet *)malloc(to->length);
     if (!to->contents)
        return ENOMEM;
     memcpy((char *)to->contents, (char *)from->contents, to->length);
+    } else
+        to->contents = 0;
     return 0;
 }

More information about the krb5-bugs mailing list