Heap Corruption with large authorization header values

Greg Hudson ghudson at mit.edu
Tue Oct 7 20:23:07 EDT 2014

[I've moderated Tim's messages through to krbdev.  I don't plan to
moderate them through to kerberos; messages should go to one or the
other, not both.]

On 10/02/2014 04:25 PM, Tim Vega wrote:
> Line 1241 of src\lib\gssapi\krb5\accept_sec_context.c:
> token.value = (unsigned char *) xmalloc(token.length);
> This allocates the token which is then deallocated here:
> Line 1790 of src\lib\gssapi\spnego\spnego_mech.c
> gss_release_buffer(&tmpmin, &mechtok_out);
> Changing xmalloc to gssalloc_malloc solves our issue.

I assume you're using a build from source on Windows?

I agree with the description of the bug; this malloc call should have
been converted when we introduced gssalloc_malloc.  The bug can't
manifest in 1.10.x (and thus in the most recent Kerberos for Windows
release) because it's masked by #1445, which was fixed in 1.12:

I will go ahead and submit a fix for this; no need to send a separate
bug report.

More information about the krbdev mailing list