Ticket History #6796: segfault due to uninitialized variable in S4U

# Tue Oct 05 12:45:48 2010 "Arlene Berry" <aberry@likewise.com> - Ticket created

Subject:	segfault due to uninitialized variable in S4U
Date:	Mon, 4 Oct 2010 20:19:31 -0400
From:	"Arlene Berry" <aberry@likewise.com>
To:	<krb5-bugs@mit.edu>

Download (untitled) / with headers
text/plain 433B

Download (untitled) / with headers
text/html 2.3KiB

In src/lib/gssapi/krb5/s4u_gss_glue.c, krb5_gss_acquire_cred_impersonate_name doesn’t initialize cred. If kg_impersonate_name returns an error it doesn’t set cred either so when *output_cred_handle is set to cred it’s set to unitialized memory. The result is that gss_add_cred_impersonate_name in src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c will then call mech->gss_release_cred on a bad cred pointer in its errout section.

# Mon Oct 25 16:17:54 2010 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Mon Oct 25 16:17:55 2010 ghudson@mit.edu (Greg Hudson) - Target_Version 1.9 added

# Mon Oct 25 16:17:55 2010 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Mon Oct 25 16:17:55 2010 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Mon Oct 25 16:17:55 2010 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 281B

Use safer output parameter handling in
krb5_gss_acquire_cred_impersonate_name and its subsidiary helpers.

https://github.com/krb5/krb5/commit/de8d9634dbe6b86f60d4e2adbdad5cda5fc8c9aa
Commit By: ghudson
Revision: 24481
Changed Files:
U trunk/src/lib/gssapi/krb5/s4u_gss_glue.c

# Mon Nov 01 16:36:38 2010 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Mon Nov 01 16:36:38 2010 tlyu (Taylor Yu) - Version_Fixed 1.9 added

# Mon Nov 01 16:36:38 2010 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 518B

pull up r24481 from trunk

------------------------------------------------------------------------
r24481 | ghudson | 2010-10-25 16:17:54 -0400 (Mon, 25 Oct 2010) | 7 lines

ticket: 6796
target_version: 1.9
tags: pullup

Use safer output parameter handling in
krb5_gss_acquire_cred_impersonate_name and its subsidiary helpers.

https://github.com/krb5/krb5/commit/f81030c8386e20914d027d07a9991ae879987ae0
Commit By: tlyu
Revision: 24499
Changed Files:
U branches/krb5-1-9/src/lib/gssapi/krb5/s4u_gss_glue.c

# Wed Dec 16 18:02:56 2015 tlyu (Taylor Yu) - CustomField pullup deleted