[krbdev.mit.edu #9192] Several bugs found by a static analyzer
Евгений Шемякин via RT
rt-comment at krbdev.mit.edu
Thu Dec 18 17:19:15 EST 2025
Thu Dec 18 17:19:15 2025: Request 9192 was acted upon.
Transaction: Ticket created by playersvn at gmail.com
Queue: krb5
Subject: Several bugs found by a static analyzer
Owner: Nobody
Requestors: playersvn at gmail.com
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9192 >
Good day!
I found several bugs in the krb5 library using a static analyzer:
1.
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/gssapi/spnego/spnego_mech.c#L1114
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/gssapi/spnego/spnego_mech.c#L1699
The "make_spnego_tokenTarg_msg" function returns a value of the "OM_uint32"
type, therefore the check "make_spnego_tokenTarg_msg(...) < 0" is always
false. I think these checks should be replaced with "check
make_spnego_tokenTarg_msg(...) != 0".
2.
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/krb5/krb/ser_actx.c#L188
We need to pass "auth_context->local_port" to the "k5_externalize_address"
function, not "auth_context->local_addr".
3.
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/krb5/krb/pac.c#L188
In this line the expression "sizeof(*types_out)" is equivalent to the
expression "sizeof(uint32_t*)", but here we need the size of "uint32_t"
type, not the size of the pointer of "uint32_t".
With respect,
Evgeny Shemyakin
More information about the krb5-bugs
mailing list