In sasl 2.1.25 gssapi module dumps core during gssapi authentication for OpenLDAP: Analysis: At line 373 in plugins/gssapi.c, function sasl_gss_encode declares *p and sets it at the same time to text->encode_buf. The problem is that this function can be called without a buffer, in which case the subsequent call to _plug_buf_alloc allocates a new buffer (instead of resizing an existing buffer) and sets test->encode_buf to point to it. The problem is that p is never updated with the buffer address. This same bug is likely to cause heap corruption if the buffer already exists and has to be resized by _plug_buf_alloc, as the resized buffer will have a new address and p will not be updated. The fix is as follows: diff -r cyrus-sasl-2.1.25/plugins/gssapi.c cyrus-sasl-2.1.25.fixed/plugins/gssapi.c 373c373 < unsigned char * p = (unsigned char *) text->encode_buf; --- > unsigned char * p; 386c386,387 < --- > > p = (unsigned char *) text->encode_buf; Cheers, -Matt Matthew Hardin Symas - The LDAP Guys http://www.symas.com
