[krbdev.mit.edu #6282] krb5kdc deref uninit memory on the stack on unknown principal (pk-init)

[Zhanna Tsitkova via RT]

Crashes in de-ref of reply later when it tries to free memory, this is in the error path from non existant client principal.


diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c	2008-11-22 13:06:24.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c	2008-11-22 17:37:33.000000000 -0800
@@ -105,7 +105,7 @@
     ticket_reply.enc_part.ciphertext.data = 0;
     e_data.data = 0;
     encrypting_key.contents = 0;
-    reply.padata = 0;
+    memset(&reply, 0, sizeof(reply));
     session_key.contents = 0;
     enc_tkt_reply.authorization_data = NULL;