krb5_gss_inquire_cred can copy out uninitialized pointer
authorTom Yu <tlyu@mit.edu>
Wed, 21 Sep 2005 22:58:07 +0000 (22:58 +0000)
committerTom Yu <tlyu@mit.edu>
Wed, 21 Sep 2005 22:58:07 +0000 (22:58 +0000)
* inq_cred.c (krb5_gss_inquire_cred): Initialize ret_name to
NULL.  Only call kg_save_name() if ret_name is actually non-NULL.
Return GSS_C_NO_NAME for now if no principal name in the cred.
Reported by Christoph Weizen.

ticket: new
version_reported: 1.4.2
target_version: 1.4.3
tags: pullup
component: krb5-libs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17384 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/gssapi/krb5/ChangeLog
src/lib/gssapi/krb5/inq_cred.c

index f06fee506b23ad7a12abd93fda1f3ae86e092cff..3800195d1f8c6fa1fa2679f8aa8568fca1826ecb 100644 (file)
@@ -1,3 +1,10 @@
+2005-09-21  Tom Yu  <tlyu@mit.edu>
+
+       * inq_cred.c (krb5_gss_inquire_cred): Initialize ret_name to
+       NULL.  Only call kg_save_name() if ret_name is actually non-NULL.
+       Return GSS_C_NO_NAME for now if no principal name in the cred.
+       Reported by Christoph Weizen.
+
 2005-08-11  Tom Yu  <tlyu@mit.edu>
 
        * import_name.c: Include stdio.h regardless of presence of
index 4125dd5e48b8f5bb7b2d16841dc8bd7c1435c14a..ec8578e4e836b40c10bec45c863fc3b00d239023 100644 (file)
@@ -92,6 +92,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
    OM_uint32 ret;
 
    ret = GSS_S_FAILURE;
+   ret_name = NULL;
 
    code = krb5_init_context(&context);
    if (code) {
@@ -164,14 +165,15 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
                                                           (gss_OID) gss_mech_krb5,
                                                           &mechs)))) {
           k5_mutex_unlock(&cred->lock);
-          krb5_free_principal(context, ret_name);
+          if (ret_name)
+              krb5_free_principal(context, ret_name);
           /* *minor_status set above */
           goto fail;
        }
    }
 
    if (name) {
-      if (! kg_save_name((gss_name_t) ret_name)) {
+      if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) {
         k5_mutex_unlock(&cred->lock);
         (void) gss_release_oid_set(minor_status, &mechs);
         krb5_free_principal(context, ret_name);
@@ -179,7 +181,10 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
         krb5_free_context(context);
         return(GSS_S_FAILURE);
       }
-      *name = (gss_name_t) ret_name;
+      if (ret_name != NULL)
+         *name = (gss_name_t) ret_name;
+      else
+         *name = GSS_C_NO_NAME;
    }
 
    if (lifetime_ret)