[1181] in Kerberos-V5-bugs
krb5b4pl3: lib/krb5/krb/copy_princ.c: deal properly with zero-length principal components
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Tue Mar 14 21:36:59 1995
From: "Jonathan I. Kamens" <jik@cam.ov.com>
Date: Tue, 14 Mar 1995 21:40:02 -0500
To: krb5-bugs@MIT.EDU
lib/krb5/krb/copy_princ.c can fail if it is asked to copy a principal
with a zero-length component on a system where malloc(0) returns null.
Here's a patch:
--- lib/krb5/krb/copy_princ.c 1995/02/27 01:37:15 1.1
+++ lib/krb5/krb/copy_princ.c 1995/02/27 01:38:51
@@ -58,27 +58,31 @@
for (i = 0; i < nelems; i++) {
int len = krb5_princ_component(inprinc, i)->length;
krb5_princ_component(tempprinc, i)->length = len;
- if ((krb5_princ_component(tempprinc, i)->data = malloc(len)) == 0) {
+ if (((krb5_princ_component(tempprinc, i)->data = malloc(len)) == 0)
+ && len) {
while (--i >= 0)
free(krb5_princ_component(tempprinc, i)->data);
free (tempprinc->data);
free (tempprinc);
return ENOMEM;
}
- memcpy(krb5_princ_component(tempprinc, i)->data,
- krb5_princ_component(inprinc, i)->data, len);
+ if (len)
+ memcpy(krb5_princ_component(tempprinc, i)->data,
+ krb5_princ_component(inprinc, i)->data, len);
}
tempprinc->realm.data =
malloc(tempprinc->realm.length = inprinc->realm.length);
- if (!tempprinc->realm.data) {
+ if (!tempprinc->realm.data && tempprinc->realm.length) {
for (i = 0; i < nelems; i++)
free(krb5_princ_component(tempprinc, i)->data);
free(tempprinc->data);
free(tempprinc);
return ENOMEM;
}
- memcpy(tempprinc->realm.data, inprinc->realm.data, inprinc->realm.length);
+ if (tempprinc->realm.length)
+ memcpy(tempprinc->realm.data, inprinc->realm.data,
+ tempprinc->realm.length);
*outprinc = tempprinc;
return 0;
