[355] in Kerberos-V5-bugs
minor bug in lib/krb/bld_princ.c
daemon@ATHENA.MIT.EDU (Jim Miller)
Tue Sep 21 15:57:54 1993
From: jim@bilbo.suite.com (Jim Miller)
Date: Tue, 21 Sep 93 14:45:36 -0500
To: krb5-bugs@MIT.EDU
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
The code is from Kerberos 5, pre-beta3 with KRB_CRED patches applied.
The bug only occurs if the function exits abnormally.
Here's the code:
for (i = 0, next = va_arg(ap, char *);
next;
next = va_arg(ap, char *), i++) {
if (i == count) {
/* not big enough. realloc the array */
krb5_data *p_tmp;
p_tmp = (krb5_data *) realloc((char *)data,
sizeof(krb5_data)*(count*2));
if (!p_tmp) {
free_out:
while (i-- >= 0) <- *** should be (--i >- 0)
xfree(data[i].data);
xfree(data);
xfree(tmpdata);
return (ENOMEM);
}
count *= 2;
data = p_tmp;
}
data[i].length = strlen(next);
data[i].data = strdup(next);
if (!data[i].data)
goto free_out; <- *** problem when i = 0
}
If realloc returns with an error (!p_tmp), then the "while" loop is executed.
However, the "while" loop iterates one too many times and you end trying to
execute xfree(data[-1].data).
Another way to see the problem is trace what would happen if "strdup" returned
with an error on the first iteration of the "for" loop. If we jump to
"free_out" when i = 0, then we will again attempt to execute
xfree(data[-1].data).
Suggested fix:
change
while (i-- >= 0)
to
while (--i >= 0)
Jim_Miller@suite.com
