[17067] in Kerberos-V5-bugs
[krbdev.mit.edu #9192] Several bugs found by a static analyzer
daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Sat Dec 20 19:07:27 2025
From: "=?UTF-8?B?0JXQstCz0LXQvdC40Lkg0KjQtdC80Y/QutC40L0=?= via RT"
<rt-comment@krbdev.mit.edu>
In-Reply-To: <CAEtB=ufARnSFKijKMY+2ur41eKEZD0G31gMYmkG+C1r5p7u9DA@mail.gmail.com>
Message-ID: <rt-4.4.3-2-4166460-1766096355-460.9192-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9192":;
Date: Thu, 18 Dec 2025 17:19:15 -0500
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Thu Dec 18 17:19:15 2025: Request 9192 was acted upon.
Transaction: Ticket created by playersvn@gmail.com
Queue: krb5
Subject: Several bugs found by a static analyzer
Owner: Nobody
Requestors: playersvn@gmail.com
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9192 >
Good day!
I found several bugs in the krb5 library using a static analyzer:
1.
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/gssapi/spnego/spnego_mech.c#L1114
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/gssapi/spnego/spnego_mech.c#L1699
The "make_spnego_tokenTarg_msg" function returns a value of the "OM_uint32"
type, therefore the check "make_spnego_tokenTarg_msg(...) < 0" is always
false. I think these checks should be replaced with "check
make_spnego_tokenTarg_msg(...) != 0".
2.
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/krb5/krb/ser_actx.c#L188
We need to pass "auth_context->local_port" to the "k5_externalize_address"
function, not "auth_context->local_addr".
3.
https://github.com/krb5/krb5/blob/fb83387bb554258d747e8c29d4986849407c9058/src/lib/krb5/krb/pac.c#L188
In this line the expression "sizeof(*types_out)" is equivalent to the
expression "sizeof(uint32_t*)", but here we need the size of "uint32_t"
type, not the size of the pointer of "uint32_t".
With respect,
Evgeny Shemyakin
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
