[patch] 2.1.25 GSSAPI client crash, NULL ptr dereference

Alexey Melnikov alexey.melnikov at isode.com
Fri Oct 7 07:13:38 EDT 2011


Phil Pennock wrote:

>Folks,
>  
>
Hi Phil,

>Upgraded Cyrus-SASL via FreeBSD ports from 2.1.23 to 2.1.25 and mutt
>started seg-faulting on authentication to my (cyrus) IMAP server.
>
>Rebuilt mutt, etc, confirmed the usual suspects, but every time, a crash
>on:
>
>#0  0x000000080399e0c6 in sasl_gss_encode (context=0x802bfdc80, invec=Variable "invec" is not available.
>) at gssapi.c:387
>387		p[0] = (output_token->length>>24) & 0xFF;
>
>p was always NULL.
>
>Looked, and on a hunch tried a modification, attached as a patch; it
>worked.  What I suspect is happening is that _plug_buf_alloc() can
>change the value of text->encode_buf, which is why the API takes its
>address; thus taking a copy of it and putting it in "p" beforehand is a
>mistake.
>
>Unless p needs to be the original one, but since this patch works, I
>suspect not.  But I'm not familiar with the code, so am not 100% sure.
>  
>
I think your patch is correct. I will commit.

Thanks for doing that.

Best Regards,
Alexey

>I can believe that the behaviour and likelihood of realloc (or having a
>NULL in the first place) depends upon the GSSAPI library implementation,
>which might be why this hasn't shown up for others?  I'm using Heimdal
>1.4.
>  
>
>-Phil
>



More information about the Cyrus-sasl mailing list