[495] in Kerberos_V5_Development
lib/des/krb_glue.c
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Dec 9 00:20:24 1990
How is mit_des_encrypt_func supposed to work if the input data is 8 bytes?
Clearly line 154 is referencing beyond the length of the the input
buffer. How do any of the database manipulation programs which call
krb5_kdb_encrypt_key with a keyblock returned from krb5_string_to_key
*ever* work?
(This is from from saber on a Vax)
"/mit/krb5/src/lib/des/krb_glue.c":154, mit_des_encrypt_func(), Storing bad pointer (Warning #17)
153:
* 154: p = (char *)in + sumsize - CRC32_CKSUM_LENGTH;
155: endinput = (char *)in + size;
Storing a bad pointer at auto variable mit_des_encrypt_func`p.
The pointer contains the value 0xaa3cc.
(break 1) 104 -> sumsize - CRC32_CKSUM_LENGTH;
(int) 12
(break 1) 105 -> where
error #17 (Storing bad pointer)
mit_des_encrypt_func(in = (char *) 0xaa3c0 "\x01f\x0d6\x08f\x0b0\x09e\x019\x085*" /* unterminated string */, out = (char *) 0x14f094 "" /* unset value */, size= (int) 8, key = (struct _krb5_encrypt_block *) 0xa9d40, ivec = (char *) 0x0) at "/mit/krb5/src/lib/des/krb_glue.c":154
krb5_kdb_encrypt_key(eblock = (struct _krb5_encrypt_block *) 0xa9d40, in = (struct _krb5_keyblock *) 0xb0638, out = (struct _krb5_keyblock *) 0xb0608) at "/mit/krb5/src/lib/kdb/encrypt_key.c":52
add_princ(str_newprinc = (char *) 0x197014 "yyyy1-DEPTH-1") at "kdb5_mkdums.c":260
main(argc = (int) 7, argv = (char **) 0x1b5b20) at "kdb5_mkdums.c":210
saber_run((char *) 0x1d84e0 "-p yyyy -n 10 -D 2") builtin saber function
