[1390] in Kerberos-V5-bugs
improper use of free in krb5/src/lib/krb5/krb/mk_cred.c
daemon@ATHENA.MIT.EDU (Scott Schwartz)
Wed May 10 00:45:06 1995
To: krb5-bugs@MIT.EDU
Cc: kerberos@MIT.EDU
Date: Wed, 10 May 1995 00:24:15 -0400
From: Scott Schwartz <schwartz@galapagos.cse.psu.edu>
CLEANUP_PUSH should definately not be called with
&local_fulladdr.contents, since that is a pointer to an auto variable.
Presumably the author intended to free the malloced adddress info that
the value of contents points to.
After applying this patch, rlogin doesn't dump core, so rlogind is able
to puts a tgt in /tmp/krb5cc_p%d but the child shell never gets the
KRB5CCNAME env variable for some reason. Any ideas? Naturally,
login.krb5 doesn't delete the ticket cache when the session finished.
*** 1.1 1995/05/10 02:47:59
--- mk_cred.c 1995/05/10 02:50:17
***************
*** 270,276 ****
if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr,
auth_context->local_port,
&local_fulladdr))) {
! CLEANUP_PUSH(&local_fulladdr.contents, free);
plocal_fulladdr = &local_fulladdr;
} else {
goto error;
--- 270,276 ----
if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr,
auth_context->local_port,
&local_fulladdr))) {
! CLEANUP_PUSH(local_fulladdr.contents, free);
plocal_fulladdr = &local_fulladdr;
} else {
goto error;
***************
*** 285,291 ****
if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr,
auth_context->remote_port,
&remote_fulladdr))){
! CLEANUP_PUSH(&remote_fulladdr.contents, free);
premote_fulladdr = &remote_fulladdr;
} else {
CLEANUP_DONE();
--- 285,291 ----
if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr,
auth_context->remote_port,
&remote_fulladdr))){
! CLEANUP_PUSH(remote_fulladdr.contents, free);
premote_fulladdr = &remote_fulladdr;
} else {
CLEANUP_DONE();
