Folks, Upgraded Cyrus-SASL via FreeBSD ports from 2.1.23 to 2.1.25 and mutt started seg-faulting on authentication to my (cyrus) IMAP server. Rebuilt mutt, etc, confirmed the usual suspects, but every time, a crash on: #0 0x000000080399e0c6 in sasl_gss_encode (context=0x802bfdc80, invec=Variable "invec" is not available. ) at gssapi.c:387 387 p[0] = (output_token->length>>24) & 0xFF; p was always NULL. Looked, and on a hunch tried a modification, attached as a patch; it worked. What I suspect is happening is that _plug_buf_alloc() can change the value of text->encode_buf, which is why the API takes its address; thus taking a copy of it and putting it in "p" beforehand is a mistake. Unless p needs to be the original one, but since this patch works, I suspect not. But I'm not familiar with the code, so am not 100% sure. I can believe that the behaviour and likelihood of realloc (or having a NULL in the first place) depends upon the GSSAPI library implementation, which might be why this hasn't shown up for others? I'm using Heimdal 1.4. -Phil
--- gssapi.c.old 2011-10-07 03:11:43.000000000 +0000
+++ gssapi.c 2011-10-07 03:12:12.000000000 +0000
@@ -370,7 +370,7 @@ sasl_gss_encode(void *context, const str
}
if (output_token->value && output) {
- unsigned char * p = (unsigned char *) text->encode_buf;
+ unsigned char * p;
ret = _plug_buf_alloc(text->utils,
&(text->encode_buf),
@@ -383,6 +383,8 @@ sasl_gss_encode(void *context, const str
GSS_UNLOCK_MUTEX(text->utils);
return ret;
}
+
+ p = (unsigned char *) text->encode_buf;
p[0] = (output_token->length>>24) & 0xFF;
p[1] = (output_token->length>>16) & 0xFF;
Attachment:
pgphO4gngGCbU.pgp
Description: PGP signature
