[383] in Kerberos-V5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

more problems in process_tgs_req

daemon@ATHENA.MIT.EDU (Jim Miller)
Mon Oct 25 18:33:48 1993

From: jim@bilbo.suite.com (Jim Miller)
Date: Mon, 25 Oct 93 17:19:56 -0500
To: krb5-bugs@MIT.EDU
Reply-To: Jim_Miller@suite.com

This is for Kerberos 5, pre-beta 3

In "process_tgs_req" (kdc/do_tgs_req.c)...

Assume we have jumped to the label "cleanup" and that "errcode" in non-zero.   
We will than call the routine "prepare_error_tgs".  Inside of  
"prepare_error_tgs", we create a error message reply and then clean up.  Part  
of the clean up is to free the ticket that was passed in as a parameter:

static krb5_error_code
prepare_error_tgs (request, ticket, error, ident, response)
register krb5_kdc_req *request;
krb5_ticket *ticket;
int error;
const char *ident;
krb5_data **response;
{
	.
	.
	.
    retval = krb5_mk_error(&errpkt, scratch);
    free(errpkt.text.data);
    *response = scratch;
    if (ticket)
	krb5_free_ticket(ticket);
    return retval;
}

So far so good.  However, shortly after returning to "process_tgs_req", the  
code tries to free the ticket again:

cleanup:
	.
	.
	.
	retval = prepare_error_tgs(request, header_ticket, errcode,
				   fromstring, response);
    }
    if (request)
	krb5_free_kdc_req(request);
    if (req_authdat)
	krb5_free_tkt_authent(req_authdat);   <--*** tries to free ticket freed
						 *** in prepare_error_tgs

This problem seems to be related the problem described in my previous post.   
That is, the assumptions about the contents of "req_authdat" are incorrect.

Jim_Miller@suite.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[383] in Kerberos-V5-bugs

more problems in process_tgs_req

daemon@ATHENA.MIT.EDU (Jim Miller)Mon Oct 25 18:33:48 1993

daemon@ATHENA.MIT.EDU (Jim Miller)
Mon Oct 25 18:33:48 1993