Sergio Gelato <[EMAIL PROTECTED]> writes: > Package: libkrb53 > Version: 1.3.6-2
> In investigating a suspicious "free(): invalid pointer" message from > ssh-krb5 3.8.1p1-7 I discovered that gss_init_sec_context() doesn't > always initialise output_token (setting output_token->length=0 would be > enough) as required by RFC 2744 section 5.19. > On the OpenSSH side, the problem is exposed by a call from > ssh_gssapi_check_mechanism() that occurs just before kex_setup(). It > would be easy to work around the problem at that point (e.g., by adding > a send_tok->length=0; in ssh_gssapi_init_ctx), but my reading of the API > specification is that gss_init_sec_context(), not the caller, is > responsible for initialising the output token. It looks like this only fails when gss_init_sec_context returns an error, and RFC 2744 isn't entirely clear on whether the output token is supposed to be initialized in that case, but I can certainly see the convenience argument for doing so. Sam, is it appropriate to initialize the output token at the mechglue layer? The krb5 GSSAPI implementation appears to always do the right thing, so I think this is only a problem when OpenSSH is checking a GSSAPI mechanism that the K5 GSSAPI libraries don't support (unless I've missed something somewhere). -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
