[2800] in Kerberos
krb5_rc_dfl_expunge bug?
daemon@ATHENA.MIT.EDU (Jim Miller)
Thu Sep 2 18:05:41 1993
From: jim@bilbo.suite.com (Jim Miller)
Date: Thu, 2 Sep 93 16:36:03 -0500
To: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
I'm looking at the routine krb5_rc_dfl_expunge and it seems to use freed data.
Upon entry into krb5_rc_dfl_expunge we have:
struct dfl_data *t = (struct dfl_data *)id->data;
Shortly after this we have:
(void) krb5_rc_dfl_close(id);
Inside of "krb5_rc_dfl_close" we see the following:
krb5_error_code krb5_rc_dfl_close(id)
krb5_rcache id;
{
struct dfl_data *t = (struct dfl_data *)id->data;
...
[code that frees authlist deleted]
[code that closes file descriptor deleted]
...
FREE(t); <-**** id->data is freed!
return 0;
}
After returning to "krb5_rc_dfl_expunge" we see the following:
for (q = t->a;q;q = q->na) { <-*** "t" points to freed id->data!!!
if (krb5_rc_io_store ((struct dfl_data *)tmp->data, &q->rep))
return KRB5_RC_IO;
}
if (krb5_rc_io_sync(&t->d)) <-*** "t" points to freed id->data!!!
return KRB5_RC_IO;
if (krb5_rc_io_move(&t->d, &((struct dfl_data *)tmp->data)->d))
return KRB5_RC_IO;
I realize that on some machines you can get a way with this, if you're quick
about it, but it causes an error when I'm running under NEXTSTEP 2.1.
The error occurs inside of the call to "krb5_rc_io_move". By the time I get
to this routine "t->d.fn" points to garbage.
Has anyone else noticed problems with "krb5_rc_dfl_expunge"? Is there a patch
file that corrects this problem?
Thanks,
Jim_Miller@suite.com
