In krb5_get_cred_from_kdc_opt, it seems like that
there is a bug that could cause dereference of NULL
pointer.
In the following for loop (starting line 207 in
gc_frm_kdc.cxx), if krb5_cc_retrieve_cred succeeded in
the first round of the for loop, it would come back to
the for loop and top_server will become NULL
(top_server = next_server) since next_server is
initialized as NULL. In this case, we'll call
krb5_tgtname using the NULL pointer "top_server".
Am'I missing something? I'm looking at version
5-1.4.3, but I think all previous versions have the
same problem.


for (top_server = tgs_list;
top_server < tgs_list + nservers;
top_server = next_server) {
/* look in cache for a tgt for the destination */

krb5_free_cred_contents(context, &tgtq);
memset(&tgtq, 0, sizeof(tgtq));
if ((retval = krb5_copy_principal(context,
tgt.client,
&tgtq.client)))
goto cleanup;

krb5_free_principal(context, int_server);
int_server = NULL;
if ((retval = krb5_tgtname(context,
krb5_princ_realm(context,
in_cred->server),
krb5_princ_realm(context, *top_server), //
top_server could be NULL
&int_server))) {
goto cleanup;
}

......

retval = krb5_cc_retrieve_cred(context, ccache,
retr_flags,
&tgtq, &tgt);
if (retval == 0) {
krb5_free_cred_contents(context, &otgt);
free_otgt = 0;
free_tgt = 1;
/* We are now done - proceed to got/finally have tgt
*/
} else {

......
}
} //end of for loop


Thanks

Alex


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos