[2778] in Kerberos-V5-bugs
krb5-libs/465: Bad memset parameters in krb_rd_cred_basic
daemon@ATHENA.MIT.EDU (davidson@ms.gar.esys.com)
Wed Aug 27 17:53:13 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, davidson@ms.gar.esys.com
Date: Wed, 27 Aug 1997 16:44:43 -0500
From: davidson@ms.gar.esys.com
Reply-To: davidson@ms.gar.esys.com
To: krb5-bugs@MIT.EDU
Cc: davidson@sdremote.hpc-mo.com
>Number: 465
>Category: krb5-libs
>Synopsis: Bad memset parameters in krb_rd_cred_basic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Aug 27 17:53:00 EDT 1997
>Last-Modified:
>Originator: Shannon V. Davidson
>Organization:
+-----------------------------------------------------------+
| Shannon V. Davidson Voice: (314)475-7596 |
| Raytheon E-Systems E-mail: davidson@ms.gar.esys.com |
+-----------------------------------------------------------+
>Release: 1.0pl1
>Environment:
System: IRIX sdremote 6.2 03131015 IP22
>Description:
I found a bug in krb_rd_cred_basic(). Line 98 of src/lib/krb5/krb/rd_cred.c is
memset(&encpart, sizeof(encpart), 0);
and should be
memset(&encpart, 0, sizeof(encpart));
A quick search of the code revealed similar problems in src/lib/krb4/decomp_tkt.c, lines 83 and 98 are
memset(keybuf, sizeof(keybuf), 0); /* Clear the buffer */
and should be
memset(keybuf, 0, sizeof(keybuf)); /* Clear the buffer */
>How-To-Repeat:
I ran into this when forwarding TGTs in some application code that I am
writing. It can cause the decrypt code to abort when trying to free
some structures in the encpart structure.
>Fix:
See above for the fix.
>Audit-Trail:
>Unformatted:
