[krbdev.mit.edu #5552] minor incompatability krb5-1.6.1 and OpenSSH_4.6p1, OpenSSL 0.9.8e

Tue May 1 20:54:53 EDT 2007

Jeffrey Altman via RT wrote:
> And this patch to src/lib/krb5/krb/gc_frm_kdc.c:

The patch should have been against gic_opt.c but in any case it was
wrong.  Here is a patch that will work.  Unlike the prior messages
this version has actually been built and tested against real code.

Index: gic_opt.c
===================================================================

--- gic_opt.c   (revision 19536)
+++ gic_opt.c   (working copy)
@@ -206,11 +206,21 @@
     oe = krb5int_gic_opte_alloc(context);
     if (NULL == oe)
        return ENOMEM;
-    memcpy(oe, opt, sizeof(*opt));
-    /* Fix these -- overwritten by the copy */
-    oe->flags |= ( KRB5_GET_INIT_CREDS_OPT_EXTENDED |
-                  KRB5_GET_INIT_CREDS_OPT_SHADOWED);
+
+    if (opt)
+        memcpy(oe, opt, sizeof(*opt));

+    /*
+     * Fix the flags -- the EXTENDED flag would have been
+     * overwritten by the copy if there was one.  The
+     * SHADOWED flag is necessary to ensure that the
+     * krb5_gic_opt_ext structure that was allocated
+     * here will be freed by the library because the
+     * application is unaware of its existence.
+     */
+    oe->flags |= (KRB5_GET_INIT_CREDS_OPT_EXTENDED |
+                  KRB5_GET_INIT_CREDS_OPT_SHADOWED);
+
     *opte = oe;
     return 0;
 }


