In krb5_get_cred_from_kdc_opt, it seems like that
there is a bug that could cause dereference of NULL
In the following for loop (starting line 207 in
gc_frm_kdc.cxx), if krb5_cc_retrieve_cred succeeded in
the first round of the for loop, it would come back to
the for loop and top_server will become NULL
(top_server = next_server) since next_server is
initialized as NULL. In this case, we'll call
krb5_tgtname using the NULL pointer "top_server".
Am'I missing something? I'm looking at version
5-1.4.3, but I think all previous versions have the
same problem.

for (top_server = tgs_list;
top_server < tgs_list + nservers;
top_server = next_server) {
/* look in cache for a tgt for the destination */

krb5_free_cred_contents(context, &tgtq);
memset(&tgtq, 0, sizeof(tgtq));
if ((retval = krb5_copy_principal(context,
goto cleanup;

krb5_free_principal(context, int_server);
int_server = NULL;
if ((retval = krb5_tgtname(context,
krb5_princ_realm(context, *top_server), //
top_server could be NULL
&int_server))) {
goto cleanup;


retval = krb5_cc_retrieve_cred(context, ccache,
&tgtq, &tgt);
if (retval == 0) {
krb5_free_cred_contents(context, &otgt);
free_otgt = 0;
free_tgt = 1;
/* We are now done - proceed to got/finally have tgt
} else {

} //end of for loop



Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
Kerberos mailing list