From bear@coyotesong.com  Sat Jan  8 15:40:11 2000
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
	by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id PAA01595
	for <bugs@RT-11.MIT.EDU>; Sat, 8 Jan 2000 15:40:11 -0500 (EST)
Received: from bgiles.dimensional.com by MIT.EDU with SMTP
	id AA28610; Sat, 8 Jan 00 15:39:39 EST
Received: (from bear@localhost)
	by eris.coyotesong.com (8.9.3/8.9.3/Debian/GNU) id NAA23226;
	Sat, 8 Jan 2000 13:39:50 -0700
Message-Id: <200001082039.NAA23226@eris.coyotesong.com>
Date: Sat, 8 Jan 2000 13:39:50 -0700
From: bgiles@coyotesong.com
Reply-To: bgiles@coyotesong.com
To: krb5-bugs@MIT.EDU
Cc:
Subject: appl/bsd/login.c: attempt to free null ptr
X-Send-Pr-Version: 3.99

>Number:         807
>Category:       telnet
>Synopsis:       appl/bsd/login.c attempts to free null pointer
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    raeburn
>State:          closed
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Sat Jan  8 15:41:01 EST 2000
>Last-Modified:  Fri Sep 14 19:13:33 EDT 2001
>Originator:     Bear Giles
>Organization:
Bear Giles
bgiles@coyotesong.com
>Release:        krb5-1.1.1
>Environment:
Debian 2.1r5
	
System: Linux eris 2.2.13 #7 SMP Sat Oct 30 20:57:16 MDT 1999 i686 unknown
Architecture: i686

>Description:
Problem initially manifested itself with ktelnet/ktelnetd: every attempt 
to connect was immediately terminated, even with the "-a none" option.
I was able to track that problem to the silent failure of login.krb5.
	
>How-To-Repeat:
It happens during every attempt to connect.
	
>Fix:
I determined that the problem occured near line 1644 in appl/bsd/login.c.
krb5_cc_destroy() was called without testing whether xtra_creds is null.
The problem was eliminated after moving this call into the prior
conditional, with suitable modifications.

begin 664 0006
M+2TM(&]L9"]S<F,O87!P;"]B<V0O;&]G:6XN8PE&<FD@1&5C(#$W(#$S.C0S
M.C0Y(#$Y.3D**RLK(&YE=R]S<F,O87!P;"]B<V0O;&]G:6XN8PE3870@2F%N
M("`X(#$R.C4S.C`X(#(P,#`*0$`@+3$V-#`L,3,@*S$V-#`L,3,@0$`*(`D@
M("`@8V]M7V5R<BAA<F=V6S!=+"!R971V86PL(")W:&5N(&EN:71I86QI>FEN
M9R!C86-H92(I.PH@"7T@96QS92!I9B`H<F5T=F%L(#T@:W)B-5]C8U]S=&]R
M95]C<F5D*&MC;VYT97AT+"!C8V%C:&4L("9M>5]C<F5D<RDI('L*(`D@("`@
M8V]M7V5R<BAA<F=V6S!=+"!R971V86PL(")W:&EL92!S=&]R:6YG(&-R961E
M;G1I86QS(BD["BT)?2!E;'-E(&EF("AX=')A7V-R961S("8F"BT)"2`@("AR
M971V86P@/2!K<F(U7V-C7V-O<'E?8W)E9',H:V-O;G1E>'0L('AT<F%?8W)E
M9',L"BT)"0D)"0EC8V%C:&4I*2D@>PHM"2`@("!C;VU?97)R*&%R9W9;,%TL
M(')E='9A;"P@(G=H:6QE('-T;W)I;F<@8W)E9&5N=&EA;',B*3L**PE](&5L
M<V4@:68@*'AT<F%?8W)E9',I('L**PD@("`@:68@*')E='9A;"`](&MR8C5?
M8V-?8V]P>5]C<F5D<RAK8V]N=&5X="P@>'1R85]C<F5D<RP@8V-A8VAE*2D@
M>PHK"0EC;VU?97)R*&%R9W9;,%TL(')E='9A;"P@(G=H:6QE('-T;W)I;F<@
M8W)E9&5N=&EA;',B*3L**PD@("`@?0HK"2`@("!K<F(U7V-C7V1E<W1R;WDH
M:V-O;G1E>'0L('AT<F%?8W)E9',I.PH@"7T*(`HM"6MR8C5?8V-?9&5S=')O
M>2AK8V]N=&5X="P@>'1R85]C<F5D<RD["B`@("`@?2!E;'-E(&EF("AF;W)W
M87)D961?=C5?=&EC:V5T<R`F)B!R97=R:71E7V-C86-H92D@>PH@"6EF("@H
M<F5T=F%L(#T@:W)B-5]C8U]I;FET:6%L:7IE("AK8V]N=&5X="P@8V-A8VAE
@+"!M92DI*2!["B`)("`@('-Y<VQO9RA,3T=?15)2+`H`
`
end
>Audit-Trail:

Responsible-Changed-From-To: hartmans->raeburn
Responsible-Changed-By: raeburn
Responsible-Changed-When: Mon Feb 21 16:27:51 2000
Responsible-Changed-Why:
I'll take it...

State-Changed-From-To: open-feedback
State-Changed-By: raeburn
State-Changed-When: Mon Feb 21 16:27:56 2000
State-Changed-Why:

We got a slightly different patch for this from someone else.  In any
case, it should be fixed in 1.2....

State-Changed-From-To: feedback-closed
State-Changed-By: tlyu
State-Changed-When: Fri Sep 14 19:13:13 2001
State-Changed-Why:
has been fixed for a while; closing.

>Unformatted:
 <synopsis of the problem (one line)>