[433] in Kerberos-V5-bugs
Bug in krb5_get_in_tkt() : Version5/beta3
daemon@ATHENA.MIT.EDU (mullan_s@apollo.hp.com)
Mon Mar 7 15:37:10 1994
To: krb5-bugs@MIT.EDU
Cc: mullan_s@apollo.hp.com (Sean Mullan), hondo@apollo.hp.com (Maryann Hondo)
Date: Mon, 07 Mar 94 15:36:28 -0500
From: mullan_s@apollo.hp.com
Hi,
There are 2 places in krb5_get_in_tkt() in which
krb5_free_kdc_rep(as_reply) is called more than once, which
could potentially crash the KDC server :
lines 329 - 336 :
retval = encode_krb5_ticket(as_reply->ticket, &packet);
if (retval) {
krb5_free_kdc_rep(as_reply);
krb5_free_addresses(creds->addresses);
cleanup_key();
krb5_free_kdc_rep(as_reply);
return retval;
}
lines 340 - 349 :
/* store it in the ccache! */
if (retval = krb5_cc_store_cred(ccache, creds)) {
krb5_free_kdc_rep(as_reply);
/* clean up the pieces */
krb5_xfree(creds->ticket.data);
krb5_free_addresses(creds->addresses);
cleanup_key();
krb5_free_kdc_rep(as_reply);
return retval;
}
************************************************************
Sean Mullan Phone: (508) 436-4129
Hewlett-Packard Co. Internet: mullan_s@apollo.hp.com
300 Apollo Drive Fax: (508) 436-5140
Chelmsford, MA 01824
************************************************************
