[16117] in Kerberos-V5-bugs
[krbdev.mit.edu #8740] Null pointer deference in function CLeashApp
daemon@ATHENA.MIT.EDU (Yang Xiao via RT)
Tue Sep 18 13:07:16 2018
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Yang Xiao via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8740@krbdev.mit.edu>
Message-ID: <rt-8740-48826.14.1931854328983@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8740'":;
Date: Tue, 18 Sep 2018 13:07:09 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Content-Type: multipart/mixed; boundary="===============2685181862930427351=="
Errors-To: krb5-bugs-bounces@mit.edu
--===============2685181862930427351==
Hi,
There is a null pointer deference in function
CLeashApp::GetProfileFile() in Leash.cpp.
1017 BOOL
1018 CLeashApp::GetProfileFile(
1019 LPSTR confname,
1020 UINT szConfname
1021 )
1022 {
1023 char **configFile = NULL;
1024 if (!m_hKrb5DLL)
1025 return NULL;
1026
1027 if (pkrb5_get_default_config_files(&configFile))
1028 {
1029 GetWindowsDirectory(confname,szConfname);
1030 confname[szConfname-1] = '\0';
1031 strncat(confname,"\\KRB5.INI",szConfname-strlen(confname));
1032 confname[szConfname-1] = '\0';
1033 return FALSE;
1034 }
1035
1036 *confname = 0;
1037
1038 if (configFile)
1039 {
1040 strncpy(confname, *configFile, szConfname);
1041 confname[szConfname-1] = '\0';
1042 pkrb5_free_config_files(configFile);
1043 }
1044
1045 if (!*confname)
1046 {
1047 GetWindowsDirectory(confname,szConfname);
1048 confname[szConfname-1] = '\0';
1049 strncat(confname,"\\KRB5.INI",szConfname-strlen(confname));
1050 confname[szConfname-1] = '\0';
1051 }
1052
1053 return FALSE;
1054 }
if krb5_get_default_config_files() returns success and an empty list,
then GetProfileFile () will attempt to dereference a null pointer. check
for the empty list and treat it as failure.
Below is the proposal patch for function CLeashApp::GetProfileFile().
- if (pkrb5_get_default_config_files(&configFile))
+ if (pkrb5_get_default_config_files(&configFile) || !configFile[0])
{
GetWindowsDirectory(confname,szConfname);
confname[szConfname-1] = '\0';
Young
--===============2685181862930427351==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
--===============2685181862930427351==--