diff options
author | Jeffrey Altman <jaltman@secure-endpoints.com> | 2007-03-01 01:49:11 +0000 |
---|---|---|
committer | Jeffrey Altman <jaltman@secure-endpoints.com> | 2007-03-01 01:49:11 +0000 |
commit | 36ff243effef4c41f5a2220b9a0fb8c16ecd5e8c (patch) | |
tree | 286ee1ced5f3d5e2a25e95576d94610eda4907c3 /src/lib/krb5/krb | |
parent | 1ae792f71d14828942218ece30fdb6069f5a4960 (diff) | |
download | krb5-36ff243effef4c41f5a2220b9a0fb8c16ecd5e8c.tar.gz krb5-36ff243effef4c41f5a2220b9a0fb8c16ecd5e8c.tar.xz krb5-36ff243effef4c41f5a2220b9a0fb8c16ecd5e8c.zip |
krb5_get_cred_from_kdc fails to null terminate the tgt list
if the next tgt in a cross-realm traversal cannot be
obtained find_nxt_kdc() was calling krb5_free_creds()
on the last tgt in the list but was failing to nullify
the pointer to the cred that was just freed.
if there were no additional tgts obtained,
krb5_get_cred_from_kdc() would return a non-NULL terminated
cred list to the caller. This would result in a crash
when attempting to manipulate the non-existent cred past
the end of the list.
This commit nullifies the credential pointer in
find_nxt_kdc() after the call to krb5_free_creds()
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19195 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb')
-rw-r--r-- | src/lib/krb5/krb/gc_frm_kdc.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index c936661c3..4890bad50 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -462,6 +462,7 @@ find_nxt_kdc(struct tr_state *ts) if (ts->ntgts > 0) { /* Punt NXT_TGT from KDC_TGTS if bogus. */ krb5_free_creds(ts->ctx, ts->kdc_tgts[--ts->ntgts]); + ts->kdc_tgts[ts->ntgts] = NULL; } TR_DBG_RET(ts, "find_nxt_kdc", KRB5_KDCREP_MODIFIED); return KRB5_KDCREP_MODIFIED; |