[385] in Kerberos-V5-bugs
bug in krb5_copy_addresses
tytso@ATHENA.MIT.EDU (tytso@ATHENA.MIT.EDU)
Mon Nov 15 23:49:26 1993
Date: Mon, 8 Nov 93 20:03:20 -0600
Received: by NeXT.Mailer (1.87.1.RR)
Received: by NeXT Mailer (1.87.1.RR)
To: krb5-bugs@MIT.EDU
Subject: bug in krb5_copy_addresses
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
This is for Kerberos 5, pre-beta 3...
There is a bug in the routine krb5_copy_addresses (lib/krb/copy_addrs.c)
Here's the code:
for (nelems = 0; inaddr[nelems]; nelems++)
retval = krb5_copy_addr(inaddr[nelems], &tempaddr[nelems]);
if (retval) {
krb5_free_addresses(tempaddr);
return retval;
}
Notice that it looks like the "if (retval)" is supposed to be part of the "for"
loop. However, the "for" loop does not have any braces "{", therefore only the
call to "krb5_copy_addr" is part of the loop. Rearranged, the code is
really...
for (nelems = 0; inaddr[nelems]; nelems++)
retval = krb5_copy_addr(inaddr[nelems], &tempaddr[nelems]);
if (retval) {
krb5_free_addresses(tempaddr);
return retval;
}
If "inaddr[nelems]" is null, (i.e. there are no addresses to copy), the routine
returns a "retval" that has not been set to any meaningful value.
Suggested fix:
! for (nelems = 0; inaddr[nelems]; nelems++) {
retval = krb5_copy_addr(inaddr[nelems], &tempaddr[nelems]);
if (retval) {
krb5_free_addresses(tempaddr);
return retval;
}
+ }
Jim_Miller@suite.com
