Return-Path: Received: from mail-vc0-f181.google.com (mail-vc0-f181.google.com [209.85.220.181]) by krbdev.mit.edu (Postfix) with ESMTPS id 1929B3E9B2 for ; Mon, 17 Dec 2012 19:12:24 -0500 (EST) Received: by mail-vc0-f181.google.com with SMTP id gb30so827vcb.40 for ; Mon, 17 Dec 2012 16:12:24 -0800 (PST) Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=GCsE3/nfCih95GYc7Uz0OenTIGBOzyrcHwDDT6P+Tak=; b=EdKLXfNeisC2laMuV7iFKF3Y053ngKpTQ0ATLFKJxl7Z3GbWd+/gxZoK2k6+QXXTvT JX6RNwuHVzmepQUahZJa0n+PQKz3I/4yNgJrMbXDIHnLG4NZdAY5L23RdOIq7xdcaihy zwV/fUsIft43RNqT7wiqe2J9QxzANP6kDNdbp+3wF4YTiENUdOhHWKaAfxYVAsLxv8DP 8tmTwu9wR0/k9MO7Pi3knykyOf8nD50swri2Ug3n/YAnRCbQ1vP3HjUzyQHz52/Ymx87 JDhHKro59lOFLbviFdqOWHn+g1io2sGZd1UTu20EDnPplZNWzrNHDMWtsgz71fsmt31x wggw== Received: by 10.52.29.175 with SMTP id l15mr248494vdh.2.1355789544558; Mon, 17 Dec 2012 16:12:24 -0800 (PST) MIME-Version: 1.0 Sender: nickolai.zeldovich@gmail.com Received: by 10.220.70.145 with HTTP; Mon, 17 Dec 2012 16:12:03 -0800 (PST) In-Reply-To: References: From: Nickolai Zeldovich Date: Mon, 17 Dec 2012 19:12:03 -0500 X-Google-Sender-Auth: pTIkVRfR8V_hGsIiZk-RthrOJK4 Message-ID: Subject: Re: [krbdev.mit.edu #7511] AutoReply: Some more nits To: rt@krbdev.mit.edu Content-Type: text/plain; charset=UTF-8 RT-Send-Cc: Content-Length: 2191 One more nit: src/lib/rpc/clnt_raw.c:95,96: the first time clntraw_create() is called, clp will be NULL, and despite checking for this and allocating memory on lines 98-103, the xdrs and client variables are never re-computed, which can lead to dereferencing invalid pointers later in the same function. [ No code in krb5 actually calls clntraw_create(), and no application is likely to call it either, because it would immediately crash; I have no idea how much you care about actually fixing this code vs. just removing clnt_raw.c. ] Nickolai. On Mon, Dec 17, 2012 at 6:47 PM, krb5 wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "Some more nits", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [krbdev.mit.edu #7511]. > > Please include the string: > > [krbdev.mit.edu #7511] > > in the subject line of all future correspondence about this issue. To do so, > you may reply to this message. > > Thank you, > > > ------------------------------------------------------------------------- > On the current git master branch (2af891a5): > > src/util/support/utf8_conv.c:281: (len + n < len) is never required to > be true: len is a signed integer, n is known to be >= 1 (from line > 279), and overflow for signed integers is undefined behavior. Many > compilers (e.g., gcc) will discard the code from lines 281-282 as a > result. > > src/kdc/do_tgs_req.c:884: if state can be NULL, then it should have > been checked before dereferencing state at line 850. > > src/kdc/fast_util.c:300: if s can be NULL, then it should have been > checked before dereferencing s at line 298. > > src/kdc/fast_util.c:421: if state can be NULL, then it should have > been checked before dereferencing state at line 417. > > src/plugins/kdb/db2/libdb2/btree/bt_seq.c:449: h is guaranteed to be > NULL at this point, but it's being dereferenced anyway. Perhaps this > was meant to refer to the previous value of h, before it was > overwritten on line 447? > > Nickolai. >