Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 3C1083F0F4; Fri,  5 Mar 2010 18:26:17 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o25NQHZB015259; Fri, 5 Mar 2010 18:26:17 -0500
Received: from mailhub-dmz-1.mit.edu (MAILHUB-DMZ-1.MIT.EDU [18.9.21.41]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o25LtUhs002733 for <krb5-bugs-incoming@PCH.mit.edu>; Fri, 5 Mar 2010 16:55:41 -0500
Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU [18.9.25.13]) by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id o25LtTBq021060 for <krb5-bugs@mit.edu>; Fri, 5 Mar 2010 16:55:29 -0500
X-Auditid: 1209190d-b7b37ae000000981-a7-4b917dcb4aff
Received: from sh1.exchange.ms (sh1.exchange.ms [64.71.238.63]) by dmz-mailsec-scanner-2.mit.edu (Symantec Brightmail Gateway) with SMTP id 62.9D.02433.BCD719B4; Fri,  5 Mar 2010 16:55:23 -0500 (EST)
Received: from outbound.mse3.exchange.ms (unknown [10.0.25.203]) by sh1.exchange.ms (Postfix) with ESMTP id 803A72D8787 for <krb5-bugs@mit.edu>; Fri,  5 Mar 2010 16:54:24 -0500 (EST)
X-Mimeole: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 5 Mar 2010 16:51:19 -0500
Message-ID: <23447137FA0DAA4D95EF535FF356BE46041C88D5@mse3be2.mse3.exchange.ms>
In-Reply-To: <rt-6675-32568.8.68302256417557@krbdev.mit.edu>
X-MS-Has-Attach: 
X-MS-Tnef-Correlator: 
Thread-Topic: [krbdev.mit.edu #6675] segfault in gss_export_sec_context 
Thread-Index: Acq8pcc/zGe56ZzTQySF4CdHCAM0wwABo1dA
References: <rt-6675@krbdev.mit.edu> <rt-6675-32568.8.68302256417557@krbdev.mit.edu>
From: "Arlene Berry" <aberry@likewise.com>
To: <krb5-bugs@MIT.EDU>
Subject: [krbdev.mit.edu #6675] segfault in gss_export_sec_context
X-Brightmail-Tracker: AAAAARMqGeA=
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id o25LtUhs002733
X-Mailman-Approved-At: Fri, 05 Mar 2010 18:26:16 -0500
X-Beenthere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 1007

In src/lib/krb5/krb/authdata.c context is NULL and is dereferenced:

static krb5_error_code
k5_ad_size(krb5_context kcontext,
           krb5_authdata_context context,
           krb5_flags flags,
           size_t *sizep)
{
    int i;
    krb5_error_code code = 0;

    *sizep += sizeof(krb5_int32); /* count */

    for (i = 0; i < context->n_modules; i++) {


The back trace is:

#0  0x0045dfcf in k5_ad_size (kcontext=0x8054af8, context=0x0, flags=15,

    sizep=0xbffff078)
    at krb5/src/lib/krb5/krb/authdata.c:162
#1  0x0045f7a2 in krb5_authdata_context_size (kcontext=0x8054af8,
ptr=0x0, 
    sizep=0xbffff078)
    at krb5/src/lib/krb5/krb/authdata.c:1131 (line 1067 in your trunk)
#2  0x00484310 in krb5_size_opaque (kcontext=0x8054af8,
odtype=-1760647364, 
    arg=0x0, sizep=0xbffff078)
    at krb5/src/lib/krb5/krb/serialize.c:104 (line 105 in your trunk)
#3  0x006ed9c3 in kg_ctx_size (kcontext=0x8054af8, arg=0x8053700, 
    sizep=0xbffff0b4)
    at krb5/src/lib/gssapi/krb5/ser_sctx.c:361