From: Ezra Peisach <epeisach@mit.edu>
Date: Wed, 4 Oct 2006 18:40:53 +0000 (+0000)
Subject: array before test for pointing at entry with the principal. Avoids
X-Git-Tag: krb5-1.6-alpha1~110
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=393281d4cc8706b94637cfb2ed8b3e90a067e3a5;p=krb5.git

array before test for pointing at entry with the principal. Avoids
buffer overflow for end of list.

Detected with a hacked up version of valgrind to handle keyring syscalls.

krb5_krcc_next_cred: Move initial test if pointing past end of key

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18643 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index 8b36fe0cd..0526abd19 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -737,14 +737,18 @@ krb5_krcc_next_cred(krb5_context context, krb5_ccache id,
 	return KRB5_CC_END;
     memset(creds, 0, sizeof(krb5_creds));
 
-    /* If we're pointing at the entry with the principal, skip it */
-    if (krcursor->keys[krcursor->currkey] == krcursor->princ_id)
-	krcursor->currkey++;
-
     /* If we're pointing past the end of the keys array, there are no more */
     if (krcursor->currkey > krcursor->numkeys)
 	return KRB5_CC_END;
 
+    /* If we're pointing at the entry with the principal, skip it */
+    if (krcursor->keys[krcursor->currkey] == krcursor->princ_id) {
+	krcursor->currkey++;
+	/* Check if we have now reached the end */
+	if (krcursor->currkey > krcursor->numkeys)
+	  return KRB5_CC_END;
+    }
+
     /* Read the key, the right size buffer will ba allocated and returned */
     psize = keyctl_read_alloc(krcursor->keys[krcursor->currkey], &payload);
     if (psize == -1) {