Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.420 (Entity 5.420) Subject: MSLSA get next cred functionality X-RT-Original-Encoding: iso-8859-1 Content-Length: 1085 krb5_lcc_next_cred() has several problems: 1. its supposed to return the next cred and therefore if there is an error while reading/parsing a ticket it is supposed to skip the error and try the next ticket. It fails to do this correctly. 2. if an error occurs it sets retval to KRB5_FCC_INTERNAL. if it is able to obtain a subsequent ticket. It does not clear the error value which in turn breaks the caller. 3. when an error does occur the cause of the error is lost. a descriptive error should be provided 4. there is a race between when the enumeration is generated in krb5_lcc_start_seq_get() and when the tickets are read. If the tickets are removed in between the KRB5_FCC_INTERNAL error is thrown. We can't avoid the race entirely but it might be useful to parse all of the tickets in krb5_lcc_start_seq_get() and then just hand them out. On the other hand this approach would perform unneeded expensive work if the app only required the first ticket in the cache. 5. a more general problem. there is no validation that the 'id' and 'cursor' inputs are non-NULL.