Regarding "MIT krb5 Security Advisory 2005-002" fix

Jeffrey Hutzelman jhutz at
Tue Sep 19 01:13:26 EDT 2006

On Tuesday, September 19, 2006 10:12:36 AM +0530 Sachin Punadikar 
<punadikar.sachin at> wrote:

> I would like to point out that, the above fix is for only for UDP
> communication part.

That's because the bug, which is due to use of an uninitialized automatic 
variable, only exists in that code path.

> For TCP communication, this kind of fix is missing.
> Here is the fix for TCP communication part.
> =============================================
> File: src/kdc/network.c
> Function : accept_tcp_connection()
> Line number : around 825
>     newconn->u.tcp.addr_s = addr_s;
>     newconn->u.tcp.addrlen = addrlen;
>     newconn->u.tcp.bufsiz = 1024 * 1024;
>     newconn->u.tcp.buffer = malloc(newconn->u.tcp.bufsiz);
>     newconn->u.tcp.start_time = time(0);
>     newconn-> u.tcp.response = NULL;   /* Fix for MIT krb5 Security
> Advisory 2005-002: TCP part */
> ===============================================
> Let me know whether I am correct ?

No; this change is not required.  In the UDP case, the fix initializes an 
automatic (stack) variable which was used before being initialized.  In the 
code you quote above, the *newconn was zeroed when it was allocated by 
add_fd(), so those structure members needing nonzero values need to be 
initialized here.

Technically, this makes the assumption that the underlying representation 
of a NULL pointer has all bits cleared, which is not guaranteed to be true. 
However, it is true on pretty much all modern systems, and certainly any on 
which this code builds.

BTW, please note that krbdev at is a public mailing list, and might 
not be an appropriate forum for reporting security issues.  For that 
purpose you may instead want to send mail to krbcore at (a private 
internal list), or send PGP-encrypted mail to one of the people whose email 
addresses appear at

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the krbdev mailing list