[krbdev.mit.edu #8567] Bug in mslsa ccahe
Benjamin Kaduk via RT
rt-comment at krbdev.mit.edu
Wed Apr 5 22:47:13 EDT 2017
On Fri, Mar 31, 2017 at 12:06:53AM -0400, Alexander Karaivanov via RT wrote:
> Hi
>
> I believe I've found a bug in mit krb. The bug is in krb5_lcc_data()
> in src/lib/krb5/ccache/cc_mslsa.c.
>
> When krb5_lcc_data is allocated data->flags is not initialized. As
> result krb5_lcc_next_cred() may not copy the ticket if flags might
> happened to have KRB5_TC_NOTICKET bit randomly set.
>
> Here is a simple fix:
>
> diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
> index 7a80470..c741a50 100644
> --- a/src/lib/krb5/ccache/cc_mslsa.c
> +++ b/src/lib/krb5/ccache/cc_mslsa.c
> @@ -1553,6 +1553,7 @@ krb5_lcc_resolve (krb5_context context,
> krb5_ccache *id, const char *residual)
> data->LogonHandle = LogonHandle;
> data->PackageId = PackageId;
> data->princ = NULL;
> + data->flags = 0;
>
> data->cc_name = (char *)malloc(strlen(residual)+1);
> if (data->cc_name == NULL) {
One could argue whether we should just zero the entire allocation
(and drop the princ and flags initialization as redundant), but on
first look this seems to generally be the right thing to do.
-Ben
More information about the krb5-bugs
mailing list