[patch] 2.1.25 GSSAPI client crash, NULL ptr dereference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Upgraded Cyrus-SASL via FreeBSD ports from 2.1.23 to 2.1.25 and mutt
started seg-faulting on authentication to my (cyrus) IMAP server.

Rebuilt mutt, etc, confirmed the usual suspects, but every time, a crash

#0  0x000000080399e0c6 in sasl_gss_encode (context=0x802bfdc80, invec=Variable "invec" is not available.
) at gssapi.c:387
387		p[0] = (output_token->length>>24) & 0xFF;

p was always NULL.

Looked, and on a hunch tried a modification, attached as a patch; it
worked.  What I suspect is happening is that _plug_buf_alloc() can
change the value of text->encode_buf, which is why the API takes its
address; thus taking a copy of it and putting it in "p" beforehand is a

Unless p needs to be the original one, but since this patch works, I
suspect not.  But I'm not familiar with the code, so am not 100% sure.

I can believe that the behaviour and likelihood of realloc (or having a
NULL in the first place) depends upon the GSSAPI library implementation,
which might be why this hasn't shown up for others?  I'm using Heimdal

--- gssapi.c.old	2011-10-07 03:11:43.000000000 +0000
+++ gssapi.c	2011-10-07 03:12:12.000000000 +0000
@@ -370,7 +370,7 @@ sasl_gss_encode(void *context, const str
     if (output_token->value && output) {
-	unsigned char * p = (unsigned char *) text->encode_buf;
+	unsigned char * p;
 	ret = _plug_buf_alloc(text->utils,
@@ -383,6 +383,8 @@ sasl_gss_encode(void *context, const str
 	    return ret;
+	p = (unsigned char *) text->encode_buf;
 	p[0] = (output_token->length>>24) & 0xFF;
 	p[1] = (output_token->length>>16) & 0xFF;

Attachment: pgphO4gngGCbU.pgp
Description: PGP signature

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux