[16107] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8726] Directly dereference the pointer certname

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Sep 5 12:38:21 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8726@krbdev.mit.edu>
Message-ID: <rt-8726-48799.3.12064527282338@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8726'":;
Date: Wed,  5 Sep 2018 12:38:05 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

"kinit -X X509_user_identity=, princname" also causes the null deref 
if the KDC offers PKINIT.

There are some ancillary code hygiene issues here:

* On empty input, parse_fs_options() returns 0 without filling in 
idopts->cert_filename and idopts->key_filename.  This is papered over 
by checks in pkinit_get_certs_fs(), which will return 
KRB5KDC_ERR_PREAUTH_FAILED if either field isn't filled in.

* If the second strdup() in parse_fs_options() fails, it returns 
ENOMEM but does leave an allocated value in idopts->cert_filename.  
This could lead to a memory leak if a subsequent pkinit_identities 
value is tried, but under most circumstances I think the allocated 
value will be cleaned up during teardown.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home help back first fref pref prev next nref lref last post