krb5_get_cred_from_kdc fails to null terminate the tgt list

	if the next tgt in a cross-realm traversal cannot be
	obtained find_nxt_kdc() was calling krb5_free_creds()
	on the last tgt in the list but was failing to nullify
	the pointer to the cred that was just freed.

	if there were no additional tgts obtained,
	krb5_get_cred_from_kdc() would return a non-NULL terminated
	cred list to the caller.  This would result in a crash
	when attempting to manipulate the non-existent cred past
	the end of the list.

	This commit nullifies the credential pointer in
	find_nxt_kdc() after the call to krb5_free_creds()

ticket: new
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19195 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index c936661c3160e6531186c11fb85e8a99e97c6e18..4890bad501501e58cd8c3e71bfd299a28049daf6 100644 (file)
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -462,6 +462,7 @@ find_nxt_kdc(struct tr_state *ts)
        if (ts->ntgts > 0) {
            /* Punt NXT_TGT from KDC_TGTS if bogus. */
            krb5_free_creds(ts->ctx, ts->kdc_tgts[--ts->ntgts]);
+           ts->kdc_tgts[ts->ntgts] = NULL;
        }
        TR_DBG_RET(ts, "find_nxt_kdc", KRB5_KDCREP_MODIFIED);
        return KRB5_KDCREP_MODIFIED;