From rt-comment at krbdev.mit.edu  Thu Dec 18 17:19:15 2025
From: rt-comment at krbdev.mit.edu (=?UTF-8?B?0JXQstCz0LXQvdC40Lkg0KjQtdC80Y/QutC40L0=?= via RT)
Date: Thu, 18 Dec 2025 17:19:15 -0500
Subject: [krbdev.mit.edu #9192] Several bugs found by a static analyzer
In-Reply-To: <CAEtB=ufARnSFKijKMY+2ur41eKEZD0G31gMYmkG+C1r5p7u9DA@mail.gmail.com>
References: <RT-Ticket-9192@mit.edu>
 <CAEtB=ufARnSFKijKMY+2ur41eKEZD0G31gMYmkG+C1r5p7u9DA@mail.gmail.com>
Message-ID: <rt-4.4.3-2-4166460-1766096355-460.9192-4-0@mit.edu>


Thu Dec 18 17:19:15 2025: Request 9192 was acted upon.
 Transaction: Ticket created by playersvn at gmail.com
       Queue: krb5
     Subject: Several bugs found by a static analyzer
       Owner: Nobody
  Requestors: playersvn at gmail.com
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9192 >


Good day!

I found several bugs in the krb5 library using a static analyzer:

1.
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/gssapi/spnego/spnego_mech.c#L1114
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/gssapi/spnego/spnego_mech.c#L1699
The "make_spnego_tokenTarg_msg" function returns a value of the "OM_uint32"
type, therefore the check "make_spnego_tokenTarg_msg(...) < 0" is always
false. I think these checks should be replaced with "check
make_spnego_tokenTarg_msg(...) != 0".

2.
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/krb5/krb/ser_actx.c#L188
We need to pass "auth_context->local_port" to the "k5_externalize_address"
function, not "auth_context->local_addr".

3.
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/krb5/krb/pac.c#L188
In this line the expression "sizeof(*types_out)" is equivalent to the
expression "sizeof(uint32_t*)", but here we need the size of "uint32_t"
type, not the size of the pointer of "uint32_t".

With respect,
Evgeny Shemyakin