[794] in Kerberos-V5-bugs
asn1buf_remove_octetstring can call calloc with size of 0...
daemon@ATHENA.MIT.EDU (epeisach@MIT.EDU)
Thu Sep 29 12:46:42 1994
From: epeisach@MIT.EDU
Date: Thu, 29 Sep 1994 12:46:39 -0400
To: krb5-bugs@MIT.EDU
In asn1buf_remove_octetstring, the code is as follows:
*s = (asn1_octet*)calloc(len,sizeof(asn1_octet));
if((*s == NULL) && len) return ENOMEM;
for(i=0; i<len; i++)
(*s)[i] = (asn1_octet)(buf->next)[i];
buf->next += len;
return 0;
Run running in a debugger that catches malloc(0) (running kinit),
len is set to zero, so calloc(0, 1) is malloc(0). This can be
unpredictable on some systems. In some cases, NULL is returned, others
malloc(1) and others a pointer to really zero bytes of data....
Perhaps a test of len==0 would be appropriate.... and the code
rewritten... I do not understand the internals of the code enough to
offer you a fix at this time...
Ezra
