From 17ca5b3402fe42c3ff5b2d928cc685fae43bd0d2 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 13 Jun 2006 14:14:27 +0000
Subject: Prevent a library double-free and crash when a keytab is zero-length.
 Based on a patch from Rainer Weikusat.

Ticket: 3549
Version_Reported: 1.4.3
Component: krb5-libs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18120 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/keytab/kt_file.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index c0358bfcbb..c31b90f34f 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -1092,7 +1092,10 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
     } else {
 	/* gotta verify it instead... */
 	if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
-	    kerror = errno;
+	    if (feof(KTFILEP(id)))
+		kerror = KRB5_KEYTAB_BADVNO;
+	    else
+		kerror = errno;
 	    (void) krb5_unlock_file(context, fileno(KTFILEP(id)));
 	    (void) fclose(KTFILEP(id));
 	    return kerror;
-- 
cgit