Ticket History #5394: krb5-1.6: segfault on password change

# Thu Jan 18 05:45:10 2007 guest (Public Submitter) - Ticket created

Subject:

krb5-1.6: segfault on password change

Download (untitled) / with headers
text/plain 181B

Getting segfault when trying to change the password.

The reason is a typo in a memset call and an use of an uninizialied
variable in lib/krb5/os/sendto_kdc.c

A patch is attached.

Download krb5-1.6-fix-sendto_kdc-memset.dif
text/x-diff 547B

--- src/lib/krb5/os/sendto_kdc.c
+++ src/lib/krb5/os/sendto_kdc.c 2007/01/17 14:17:10
@@ -1100,7 +1100,7 @@
struct sockaddr *remoteaddr, socklen_t *remoteaddrlen,
int *addr_used)
{
- int i, pass;
+ int i = 0, pass;
int delay_this_pass = 2;
krb5_error_code retval;
struct conn_state *conns;
@@ -1135,7 +1135,7 @@
return ENOMEM;
}

- memset(conns, 0, n_conns * sizeof(callback_data[i]));
+ memset(callback_data, 0, n_conns * sizeof(callback_data[i]));
}

for (i = 0; i < n_conns; i++) {

# Thu Jan 18 06:32:33 2007 jaltman (Jeffrey Altman) - Status changed from 'new' to 'open'

# Thu Jan 18 06:32:34 2007 jaltman (Jeffrey Altman) - Component krb5-libs added

# Thu Jan 18 06:32:34 2007 jaltman (Jeffrey Altman) - Version_reported 1.6 added

# Thu Jan 18 06:32:49 2007 jaltman (Jeffrey Altman) - Taken

# Thu Jan 18 06:35:38 2007 jaltman (Jeffrey Altman) - Status changed from 'open' to 'resolved'

# Thu Jan 18 06:35:40 2007 jaltman (Jeffrey Altman) - Tags pullup added

# Thu Jan 18 06:35:40 2007 jaltman (Jeffrey Altman) - Correspondence added

From:	jaltman@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 545B

sendto_kdc.c: use of a variable index into a dynamically
allocated array to determine the sizeof() an object makes
it unclear what type of object is involved. It also requires
a runtime check instead of a compile time replacement.
Not to mention that it could lead to the evaluation of an
uninitialized variable as was done in this case. Replace
sizeof(array index variable) with sizeof(type).

memset() the correct data structure.

Commit By: jaltman

Revision: 19065
Changed Files:
U trunk/src/lib/krb5/os/sendto_kdc.c

# Thu Jan 18 10:42:12 2007 raeburn (Ken Raeburn) - Correspondence added

From:	Ken Raeburn <raeburn@MIT.EDU>
Subject:	Re: [krbdev.mit.edu #5394] krb5-1.6: segfault on password change
Date:	Thu, 18 Jan 2007 10:41:51 -0500
To:	rt@krbdev.mit.edu
RT-Send-Cc:

Download (untitled) / with headers
text/plain 669B

On Jan 18, 2007, at 05:45, Public Submitter via RT wrote:

Show quoted text

> Getting segfault when trying to change the password.
>
> The reason is a typo in a memset call and an use of an uninizialied
> variable in lib/krb5/os/sendto_kdc.c

Tom and I were looking at this the other day. The uninitialized
variable shouldn't matter if it's only used in a sizeof expression.
The argument to sizeof isn't evaluated (except in the case of C99
variable-length arrays); only its type is needed. (Though it is
probably tidier to use something like sizeof(array[0]) and drop the
variable reference altogether.)

The memset bug would probably explain the problem, though...

Ken

# Wed Jan 24 16:35:37 2007 tlyu (Taylor Yu) - Version_Fixed 1.6.1 added

# Wed Jan 24 16:35:38 2007 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 712B

pull up r19065 from trunk

r19065@cathode-dark-space: jaltman | 2007-01-18 06:35:33 -0500
ticket: 5394
tags: pullup

sendto_kdc.c: use of a variable index into a dynamically
allocated array to determine the sizeof() an object makes
it unclear what type of object is involved. It also requires
a runtime check instead of a compile time replacement.
Not to mention that it could lead to the evaluation of an
uninitialized variable as was done in this case. Replace
sizeof(array index variable) with sizeof(type).

memset() the correct data structure.

Commit By: tlyu

Revision: 19111
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/os/sendto_kdc.c

# Wed Dec 16 18:02:48 2015 tlyu (Taylor Yu) - CustomField pullup deleted