[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 0.2q kdc bug found

"Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu> writes:
> Observe, please, in connect.c:

Right.  Um.  Hm. Hm. Or something. :-(  I should probably run away and
hide somewhere.

> d->sa in each entry points into the wrong memory block after the realloc(), 
> if realloc() decides to return a different memory block (which it 
> apparently does on Solaris).

And there's another realloc further down in the code.  My proposed
patch is included below.  Can you please test it?  I'll try to roll a
0.2r later tonight.

/assar

Index: connect.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/kdc/connect.c,v
retrieving revision 1.72
diff -u -w -u -w -r1.72 connect.c
--- connect.c	2000/02/22 22:43:44	1.72
+++ connect.c	2000/03/29 20:34:16
@@ -208,6 +208,19 @@
 }
 
 /*
+ * re-intialize all `n' ->sa in `d'.
+ */
+
+static void
+reinit_descrs (struct descr *d, int n)
+{
+    int i;
+
+    for (i = 0; i < n; ++i)
+	d[i].sa = (struct sockaddr *)&d[i].__ss;
+}
+
+/*
  * Create the socket (family, type, port) in `d'
  */
 
@@ -318,6 +331,7 @@
     d = realloc(d, num * sizeof(*d));
     if (d == NULL && num != 0)
 	krb5_errx(context, 1, "realloc(%u) failed", num * sizeof(*d));
+    reinit_descrs (d, num);
     *desc = d;
     return num;
 }
@@ -561,7 +575,7 @@
     krb5_ret_int32(sp, &len);
     krb5_storage_free(sp);
     if(d->len - 4 >= len) {
-	memcpy(d->buf, d->buf + 4, d->len - 4);
+	memmove(d->buf, d->buf + 4, d->len - 4);
 	return 1;
     }
     return 0;
@@ -737,6 +751,7 @@
 		krb5_warnx(context, "No memory");
 	    else{
 		d = tmp;
+		reinit_descrs (d, ndescr);
 		memset(d + ndescr, 0, 4 * sizeof(*d));
 		for(i = ndescr; i < ndescr + 4; i++)
 		    init_descr (&d[i]);