From: Ken Raeburn <raeburn@mit.edu>
Date: Thu, 12 Mar 2009 16:48:15 +0000 (+0000)
Subject: crash using library-allocated storage for header in wrap_iov
X-Git-Tag: krb5-1.8-alpha1~599
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=8b0f159350e8b938cfc5dca1a254f8d6ff7f595a;p=krb5.git

crash using library-allocated storage for header in wrap_iov

When allocating storage for the header buffer, update the internal
output buffer pointer as well.

ticket: 6412
target_version: 1.7
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22081 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c
index 98904b62d..85f9036b3 100644
--- a/src/lib/gssapi/krb5/k5sealv3iov.c
+++ b/src/lib/gssapi/krb5/k5sealv3iov.c
@@ -129,9 +129,10 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context,
             gss_headerlen += gss_trailerlen;
         }
 
-        if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
+        if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
             code = kg_allocate_iov(header, (size_t) gss_headerlen);
-        else if (header->buffer.length < gss_headerlen)
+            outbuf = (unsigned char *)header->buffer.value;
+        } else if (header->buffer.length < gss_headerlen)
             code = KRB5_BAD_MSIZE;
         if (code != 0)
             goto cleanup;