[krbdev.mit.edu #6208] krb5_change_set_password string argument allocation causes leaks
Alexandra Ellwood via RT
rt-comment at krbdev.mit.edu
Tue Oct 21 14:52:13 EDT 2008
krb5_change_set_password returns an error from the KDC in result_code and two error strings
in krb5_data structures: result_code_string and result_string.
If result_code is non-zero, result_string is set to a string. However result_code_string is
unconditionally set to "Password change failed", even when result_code is 0. This makes it
difficult for the caller to figure out if it needs to call krb5_free_data_contents.
Also, krb5_change_set_password allows the caller to pass NULL for result_code_string but not result_string. Seems like either both should be allowed to be NULL or neither.
More information about the krb5-bugs
mailing list