Bug in rd_cred.c?
Joseph Galbraith
galb at vandyke.com
Fri Aug 15 17:28:42 EDT 2003
In decrypt_credencdata, there is the following code:
/* now decode the decrypted stuff */
if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
goto cleanup_encpart;
*pcredenc = *ppart;
retval = 0;
cleanup_encpart:
memset(ppart, 0, sizeof(*ppart));
krb5_xfree(ppart);
However, it appears that decode_krb5_enc_cred_part,
cleans up and deallocates ppart if it fails, resulting
in use freeing it a second time when we do krb5_xfree().
This latter causes a crash in malloc in the server
we're writting.
Now, this is the first time I've ever looked at the
krb5 code, so I could be mistaken in my analysis.
When I change goto cleanup_encpart to goto cleanup,
however, my server no longer crashes, and I get
a nice "ASN.1 identifier doesn't match expected value"
error.
- Joseph
More information about the krbdev
mailing list