[17090] in Kerberos-V5-bugs
[krbdev.mit.edu #9204] Passing a null pointer to memcpy and memmove
daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Wed Apr 1 18:49:08 2026
From: "=?UTF-8?B?0JXQstCz0LXQvdC40Lkg0KjQtdC80Y/QutC40L0=?= via RT"
<rt-comment@krbdev.mit.edu>
In-Reply-To: <CAEtB=ud8QoZ+3ww_-J1rmF1W3Drek4CHdaeYY2aYcJ4q8A2G0A@mail.gmail.com>
Message-ID: <rt-4.4.3-2-1835095-1775083741-1796.9204-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9204":;
Date: Wed, 01 Apr 2026 18:49:02 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Wed Apr 01 18:49:01 2026: Request 9204 was acted upon.
Transaction: Ticket created by playersvn@gmail.com
Queue: krb5
Subject: Passing a null pointer to memcpy and memmove with null size
Owner: Nobody
Requestors: playersvn@gmail.com
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9204 >
Good day!
Using Address Sanitizer, I found several places in the codebase where a
null pointer could be passed to memcpy and memmove functions when the size
was zero. Formally it's undefined behavior. I also found that this issue
had already been fixed here:
Ticket History #9175: NULL pointer passing error in asn1_encode.c
<https://krbdev.mit.edu/rt/Ticket/History.html?id=9175>
Here are other places where I've found a similar problem:
https://github.com/krb5/krb5/blob/f8a0bee0a54ba0d96804631a3261ecd233051863/src/lib/crypto/krb/aead.c#L182
https://github.com/krb5/krb5/blob/f8a0bee0a54ba0d96804631a3261ecd233051863/src/lib/crypto/krb/aead.c#L214
https://github.com/krb5/krb5/blob/f8a0bee0a54ba0d96804631a3261ecd233051863/src/lib/krb5/krb/serialize.c#L70
https://github.com/krb5/krb5/blob/f8a0bee0a54ba0d96804631a3261ecd233051863/src/lib/gssapi/krb5/prf.c#L114
https://github.com/krb5/krb5/blob/f8a0bee0a54ba0d96804631a3261ecd233051863/src/plugins/kdb/db2/libdb2/btree/btree.h#L228
https://github.com/krb5/krb5/blob/f8a0bee0a54ba0d96804631a3261ecd233051863/src/kdc/rtest.c#L88
I also found a minor memory leak issue. We don't call the
krb5_free_cred_contents function for creds if we follow the label here:
https://github.com/krb5/krb5/blob/f8a0bee0a54ba0d96804631a3261ecd233051863/src/lib/gssapi/krb5/acquire_cred.c#L639
With respect,
Evgeny Shemyakin
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
