Bug in gss_krb5_ccache_name

Tue Feb 4 11:13:07 EST 2003

It appears that gss_krb5_ccache_name should return a previous cache name
when the caller passes a non-null out_name.  The code attempts to do this,
but it returns a pointer to the cache name storage and not a copy, so when
the name gets set by the call to krb5_cc_set_default_name, the name that is
returned in out_name gets set to the new name and not the old name.

This is in the 1.2.7 source.

Perhaps 
    if (out_name)
        *out_name = krb5_cc_default_name(context);
Should be replaced with
    if (out_name)
    {
        const char * old_ccache = krb5_cc_default_name(context);
        *out_name = old_ccache ? strdup( old_ccache ) : NULL;
    }

Unfortunately, this call is used in kadm5/clnt/client_init.c, where that
code already does a strdup on the returned old name...

Original 1.2.7 code in src/lib/gssapi/krb5/set_ccache.c:

GSS_DLLIMP OM_uint32 KRB5_CALLCONV
gss_krb5_ccache_name(minor_status, name, out_name)
    OM_uint32 *minor_status;
    const char *name;
    const char **out_name;
{
    krb5_context context;
    krb5_error_code retval;
    OM_uint32 foo_stat;

    if (GSS_ERROR(kg_get_context(minor_status, &context)))
        return (GSS_S_FAILURE);

    if (out_name)
        *out_name = krb5_cc_default_name(context);

    retval = krb5_cc_set_default_name(context, name);
    if (retval) {
        *minor_status = retval;
        return GSS_S_FAILURE;
    }
    kg_release_defcred(&foo_stat);
    return GSS_S_COMPLETE;
}

-- 
Paul W. Nelson
Thursby Software Systems, Inc.