Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 37C8E3E6AF; Fri, 3 Feb 2012 13:19:15 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q13IJFJE005267; Fri, 3 Feb 2012 13:19:15 -0500 Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q13F1PHA009451 for ; Fri, 3 Feb 2012 10:01:25 -0500 Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU [18.7.68.34]) by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id q13F1LFW005204 for ; Fri, 3 Feb 2012 10:01:25 -0500 X-Auditid: 12074422-b7fd66d0000008f9-42-4f2bf6c4b2de Authentication-Results: symauth.service.identifier Received: from mail.mev.co.uk (mail.mev.co.uk [62.49.15.74]) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 0F.5A.02297.4C6FB2F4; Fri, 3 Feb 2012 10:01:25 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by mail.mev.co.uk (Postfix) with ESMTP id EA11BB033 for ; Fri, 3 Feb 2012 15:01:22 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at mail.mev.co.uk Received: from mail.mev.co.uk ([127.0.0.1]) by localhost (mantis.mev.local [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 46sBabjkyIoQ for ; Fri, 3 Feb 2012 15:01:21 +0000 (GMT) Received: from remote.mev.co.uk (mev2008.mev.local [10.0.0.1]) by mail.mev.co.uk (Postfix) with ESMTPS id 04C04B00A for ; Fri, 3 Feb 2012 15:01:20 +0000 (GMT) Received: from [10.0.0.210] (10.0.0.210) by MEV2008.mev.local (10.0.0.1) with Microsoft SMTP Server (TLS) id 8.1.436.0; Fri, 3 Feb 2012 15:01:19 +0000 Message-ID: <4F2BF6BF.9010802@mev.co.uk> Date: Fri, 3 Feb 2012 15:01:19 +0000 From: Ian Abbott User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:10.0) Gecko/20120129 Thunderbird/10.0 MIME-Version: 1.0 To: krb5-bugs@mit.edu Subject: [BUG krb5-1.10] krb5_gss_get_name_attribute Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrEKsWRWlGSWpSXmKPExsViZ8jvpXv0m7a/weEVHBYND4+zOzB6NJ05 yhzAGMVlk5Kak1mWWqRvl8CVcezvBuaC/RwVd1fvZWpgXMbWxcjJISFgItHQvQjMZhQwkth9 7hUrRFxM4sK99UBxLg4hgaOMEh3XTzBDOMsZJW72vWKCqDKV+LaojwUicYFR4um5e1At2xgl Pv07xA7hzGCU+LfgPWMXIwcHr4CGxKuvoSDdLAIqEmtOTWABsdmA7FmLN4DtFhWIkNg7tZ0d xOYVEJQ4OfMJWI2IgKjEy7/HwGxhoLunXVsJdjezgJ7ElKstjBC2vMT2t3OYJzAKzULSPgtJ 2SwkZQsYmVcxyqbkVunmJmbmFKcm6xYnJ+blpRbpmurlZpbopaaUbmIEBrIQu4vSDsafB5UO MQpwMCrx8B44quUvxJpYVlyZe4hRkoNJSZT391dtfyG+pPyUyozE4oz4otKc1OJDjBIczEoi vKmvgHK8KYmVValF+TApaQ4WJXFeda13fkIC6YklqdmpqQWpRTBZJg72Q4wyHBxKErxWwNgV EixKTU+tSMvMKUFWwwkiuEDW8ACt4QEp5C0uSMwtzkyHKDrFqMvx6O2384xCLHn5ealS4rw2 IEUCIEUZpXlww2BJ6RKjrJQwLyMDA4MQD9A1wEBAlX/FKA4MAGFeQ5ApPJl5JXCbXgEdwQR0 BIOFJsgRJYkIKakGRoWV3w71Fn2T9fmxVTFx/lWfc+smtJbEyrO/bHl8qlF3jwBTt98KPYHK kP9B3dUH56ffCuqXFf5gGBZ7ybThY/TZ7Ydm6VzwKGgTuPj4X5D8bm4p9ho+84n/3a6d1Z5T Kn5jnrhHfu/05yv7zY++Cwr/msYw7fe8SZcWv/Mr3RO7RjzgdOIWPyWW4oxEQy3mouJEAIfL ZEtFAwAA X-Mailman-Approved-At: Fri, 03 Feb 2012 13:19:13 -0500 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: iso-8859-1 Content-Length: 1058 Hi krb5 maintainers, I think there is a bug in krb5_gss_get_name_attribute introduced in release 1.10 around lines 389-394 of src/lib/gssapi/krb5/naming_exts.c: if (display_value != NULL) { if (code != 0) code = data_to_gss(&kdisplay_value, display_value); else free(kdisplay_value.data); } I think the "if (code != 0)" test needs to be inverted, otherwise *display_value is never set when the function returns 0 for success. I found this when trying to figure out why Samba3's smbd was crapping out on me. It called gss_get_name_attribute with display_value pointing to an uninitialized gss_buffer_t variable on the stack and later passed a pointer to the same variable to gss_release_buffer() which caused glib's free() to abort the process because display_value->value was an uninitialized pointer. Best regards, Ian Abbott. -- -=( Ian Abbott @ MEV Ltd. E-mail: )=- -=( Tel: +44 (0)161 477 1898 FAX: +44 (0)161 718 3587 )=-