[2659] in Kerberos
Bug in Kerberos V5 beta 2
daemon@ATHENA.MIT.EDU (Glenn NoI Machin)
Fri Apr 2 11:04:02 1993
Date: Fri, 2 Apr 93 08:37:33 MST
From: gmachin@somnet.sandia.gov (Glenn NoI Machin)
To: kerberos@Athena.MIT.EDU
I don't know if this bug was reported earlier but
there is a problem in kdc/network.c with freeing
memory prior to using it....
In the file kdc/network.c ~ line 211
a krb5_free_data(response) is done and then
6 lines later a comparison is done between
cc and response->length:
cc = sendto(port_fd, response->data, response->length, 0,
(struct sockaddr *)&saddr, saddr_len);
krb5_free_data(response);
if (cc == -1) {
com_err(prog, errno, "while sending reply to %s/%d",
inet_ntoa(saddr.sin_addr), ntohs(saddr.sin_port));
return errno;
}
if (cc != response->length) {
com_err(prog, 0, "short reply write %d vs %d\n",
response->length, cc);
return KDC5_IO_RESPONSE;
}
Glenn
