From 196396e78d6acef5e845829f0a7615b96ca6f9df Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Thu, 1 Mar 2007 20:29:57 +0000 Subject: [PATCH] pull up r19195 from trunk r19195@cathode-dark-space: jaltman | 2007-02-28 20:49:11 -0500 ticket: new subject: krb5_get_cred_from_kdc fails to null terminate the tgt list tags: pullup if the next tgt in a cross-realm traversal cannot be obtained find_nxt_kdc() was calling krb5_free_creds() on the last tgt in the list but was failing to nullify the pointer to the cred that was just freed. if there were no additional tgts obtained, krb5_get_cred_from_kdc() would return a non-NULL terminated cred list to the caller. This would result in a crash when attempting to manipulate the non-existent cred past the end of the list. This commit nullifies the credential pointer in find_nxt_kdc() after the call to krb5_free_creds() ticket: 5454 version_fixed: 1.6.1 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19197 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/gc_frm_kdc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index c936661c3..4890bad50 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -462,6 +462,7 @@ find_nxt_kdc(struct tr_state *ts) if (ts->ntgts > 0) { /* Punt NXT_TGT from KDC_TGTS if bogus. */ krb5_free_creds(ts->ctx, ts->kdc_tgts[--ts->ntgts]); + ts->kdc_tgts[ts->ntgts] = NULL; } TR_DBG_RET(ts, "find_nxt_kdc", KRB5_KDCREP_MODIFIED); return KRB5_KDCREP_MODIFIED; -- 2.26.2