| Date: | Wed, 30 Aug 2023 21:46:10 +0100 |
| To: | krb5-bugs@mit.edu |
| From: | "Ilya Gladyshev" <ilya.v.gladyshev@gmail.com> |
| Subject: | segfault trying to free a garbage pointer |
Hi,
I have recently encountered a segfault while using psql (PostgreSQL client, version 13) on macos. psql uses krb5-1.21.2 internally and as I started exploring the problem I obtained the following callstack that led to a segfault:
0 libkrb5.3.3.dylib 0x10471ec18 krb5_free_principal + 20
1 libkrb5.3.3.dylib 0x104701ad0 krb5_cccol_have_content + 188
2 libgssapi_krb5.2.2.dylib 0x104531894 acquire_cred_context + 1664
3 libgssapi_krb5.2.2.dylib 0x10453119c acquire_cred_from + 688
4 libgssapi_krb5.2.2.dylib 0x104523180 gss_add_cred_from + 624
So it seems to me that the problem is in krb5 library. I looked at the source code and the problem seems obvious to me, but I might be missing something here. I have attached a patch to fix it, and here’s my understanding of what’s going on there: inside the krb5_cccol_have_content the princ variable may stay uninitialized even after a call to krb5_cc_get_principal, so krb5_free_principal will try to free a garbage pointer or it might try to do a double free if princ was assigned and freed on a previous loop iteration. Setting princ to NULL at the beginning of each loop seems enough to me, because krb5_free_principal has checks for NULL.
Regards,
Ilya
P.S. you might want to update the url to access the repository on the website https://kerberos.org/dist/testing.html#git as github no longer supports git:// protocol links.
Message body not shown because it is not plain text.