array before test for pointing at entry with the principal. Avoids

buffer overflow for end of list.

Detected with a hacked up version of valgrind to handle keyring syscalls.

krb5_krcc_next_cred: Move initial test if pointing past end of key

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18643 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 8 insertions, 4 deletions

diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index 8b36fe0cd..0526abd19 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -737,14 +737,18 @@ krb5_krcc_next_cred(krb5_context context, krb5_ccache id,
 	return KRB5_CC_END;
     memset(creds, 0, sizeof(krb5_creds));
 
-    /* If we're pointing at the entry with the principal, skip it */
-    if (krcursor->keys[krcursor->currkey] == krcursor->princ_id)
-	krcursor->currkey++;
-
     /* If we're pointing past the end of the keys array, there are no more */
     if (krcursor->currkey > krcursor->numkeys)
 	return KRB5_CC_END;
 
+    /* If we're pointing at the entry with the principal, skip it */
+    if (krcursor->keys[krcursor->currkey] == krcursor->princ_id) {
+	krcursor->currkey++;
+	/* Check if we have now reached the end */
+	if (krcursor->currkey > krcursor->numkeys)
+	  return KRB5_CC_END;
+    }
+
     /* Read the key, the right size buffer will ba allocated and returned */
     psize = keyctl_read_alloc(krcursor->keys[krcursor->currkey], &payload);
     if (psize == -1) {