array before test for pointing at entry with the principal. Avoids
authorEzra Peisach <epeisach@mit.edu>
Wed, 4 Oct 2006 18:40:53 +0000 (18:40 +0000)
committerEzra Peisach <epeisach@mit.edu>
Wed, 4 Oct 2006 18:40:53 +0000 (18:40 +0000)
buffer overflow for end of list.

Detected with a hacked up version of valgrind to handle keyring syscalls.

krb5_krcc_next_cred: Move initial test if pointing past end of key

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18643 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/ccache/cc_keyring.c

index 8b36fe0cd3c5c8f8ab5518aefc3b3e035b2594e7..0526abd191780a083247f2d24355daa193587666 100644 (file)
@@ -737,14 +737,18 @@ krb5_krcc_next_cred(krb5_context context, krb5_ccache id,
        return KRB5_CC_END;
     memset(creds, 0, sizeof(krb5_creds));
 
-    /* If we're pointing at the entry with the principal, skip it */
-    if (krcursor->keys[krcursor->currkey] == krcursor->princ_id)
-       krcursor->currkey++;
-
     /* If we're pointing past the end of the keys array, there are no more */
     if (krcursor->currkey > krcursor->numkeys)
        return KRB5_CC_END;
 
+    /* If we're pointing at the entry with the principal, skip it */
+    if (krcursor->keys[krcursor->currkey] == krcursor->princ_id) {
+       krcursor->currkey++;
+       /* Check if we have now reached the end */
+       if (krcursor->currkey > krcursor->numkeys)
+         return KRB5_CC_END;
+    }
+
     /* Read the key, the right size buffer will ba allocated and returned */
     psize = keyctl_read_alloc(krcursor->keys[krcursor->currkey], &payload);
     if (psize == -1) {