From 36ff243effef4c41f5a2220b9a0fb8c16ecd5e8c Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Thu, 1 Mar 2007 01:49:11 +0000 Subject: krb5_get_cred_from_kdc fails to null terminate the tgt list if the next tgt in a cross-realm traversal cannot be obtained find_nxt_kdc() was calling krb5_free_creds() on the last tgt in the list but was failing to nullify the pointer to the cred that was just freed. if there were no additional tgts obtained, krb5_get_cred_from_kdc() would return a non-NULL terminated cred list to the caller. This would result in a crash when attempting to manipulate the non-existent cred past the end of the list. This commit nullifies the credential pointer in find_nxt_kdc() after the call to krb5_free_creds() ticket: new tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19195 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/gc_frm_kdc.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src/lib/krb5/krb') diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index c936661c3..4890bad50 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -462,6 +462,7 @@ find_nxt_kdc(struct tr_state *ts) if (ts->ntgts > 0) { /* Punt NXT_TGT from KDC_TGTS if bogus. */ krb5_free_creds(ts->ctx, ts->kdc_tgts[--ts->ntgts]); + ts->kdc_tgts[ts->ntgts] = NULL; } TR_DBG_RET(ts, "find_nxt_kdc", KRB5_KDCREP_MODIFIED); return KRB5_KDCREP_MODIFIED; -- cgit