In src/kadmin/server/schpw.c:process_chpw_request()): chpwfail: clear.length = 2 + strlen(strresult); clear.data = (char *) malloc(clear.length); ptr = clear.data; *ptr++ = (numresult>>8) & 0xff; If malloc() fails *ptr++ will be a NULL pointer deref.