Bug in rd_cred.c?

Joseph Galbraith galb at vandyke.com
Fri Aug 15 17:28:42 EDT 2003

In decrypt_credencdata, there is the following code:

     /*  now decode the decrypted stuff */
     if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
         goto cleanup_encpart;

     *pcredenc = *ppart;
     retval = 0;

     memset(ppart, 0, sizeof(*ppart));

However, it appears that decode_krb5_enc_cred_part,
cleans up and deallocates ppart if it fails, resulting
in use freeing it a second time when we do krb5_xfree().

This latter causes a crash in malloc in the server
we're writting.

Now, this is the first time I've ever looked at the
krb5 code, so I could be mistaken in my analysis.

When I change goto cleanup_encpart to goto cleanup,
however, my server no longer crashes, and I get
a nice "ASN.1 identifier doesn't match expected value"

- Joseph

More information about the krbdev mailing list