I'm not sure if it's a complete fix, but there appears to be a problem
in kerberos5.c around line 2228. r->client_princ is NULL, so
dereferencing it is not safe in the call to _kdc_fast_mk_error:
ret = _kdc_fast_mk_error(context, r,
&error_method,
r->armor_crypto,
&req->req_body,
ret, r->e_text,
r->server_princ,
&r->client_princ->name,
&r->client_princ->realm,
NULL, NULL,
reply);
I'm attaching a straightforward patch to insulate this case, but I'm
not sure if it's symptomatic of something worse going on. Also, since
I can't reproduce the error, I can't really be sure it fixes it.
Index: heimdal-7.4.0.dfsg.1/kdc/kerberos5.c
===================================================================
--- heimdal-7.4.0.dfsg.1.orig/kdc/kerberos5.c
+++ heimdal-7.4.0.dfsg.1/kdc/kerberos5.c
@@ -2228,14 +2228,22 @@ out:
* In case of a non proxy error, build an error message.
*/
if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
+ PrincipalName *error_client_name = NULL;
+ Realm *error_client_realm = NULL;
+
+ if (r->client_princ)
+ {
+ error_client_name = &r->client_princ->name;
+ error_client_realm = &r->client_princ->realm;
+ }
ret = _kdc_fast_mk_error(context, r,
&error_method,
r->armor_crypto,
&req->req_body,
ret, r->e_text,
r->server_princ,
- &r->client_princ->name,
- &r->client_princ->realm,
+ error_client_name,
+ error_client_realm,
NULL, NULL,
reply);
if (ret)
