[krbdev.mit.edu #7087] [BUG krb5-1.10] krb5_gss_get_name_attribute
Ian Abbott via RT
rt-comment at krbdev.mit.edu
Fri Feb 3 13:19:16 EST 2012
Hi krb5 maintainers,
I think there is a bug in krb5_gss_get_name_attribute introduced in
release 1.10 around lines 389-394 of src/lib/gssapi/krb5/naming_exts.c:
if (display_value != NULL) {
if (code != 0)
code = data_to_gss(&kdisplay_value, display_value);
else
free(kdisplay_value.data);
}
I think the "if (code != 0)" test needs to be inverted, otherwise
*display_value is never set when the function returns 0 for success.
I found this when trying to figure out why Samba3's smbd was crapping
out on me. It called gss_get_name_attribute with display_value pointing
to an uninitialized gss_buffer_t variable on the stack and later passed
a pointer to the same variable to gss_release_buffer() which caused
glib's free() to abort the process because display_value->value was an
uninitialized pointer.
Best regards,
Ian Abbott.
--
-=( Ian Abbott @ MEV Ltd. E-mail: <abbotti at mev.co.uk> )=-
-=( Tel: +44 (0)161 477 1898 FAX: +44 (0)161 718 3587 )=-
More information about the krb5-bugs
mailing list