Crash in gssrpc_xdr_free()

[mcatanzaro]

Using Epiphany Tech Preview, every time I navigate to a web page that requires Kerberos authentication, my network process crashes in gssproxy code. I've never seen this before until a few minutes ago, but now it's become 100% reproducible across browser restarts, so somehow I've gotten my system into a bad state that triggers this bug. Not sure how, though.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f4a545bb591 in gssrpc_xdr_bytes (xdrs=0x7ffe2289ec80, cpp=0x8, sizep=0x0, maxsize=4294967295) at xdr.c:441
441		char *sp = *cpp;  /* sp is the actual string pointer */
[Current thread is 1 (Thread 0x7f4ab1e3d100 (LWP 8))]
(gdb) bt full
#0  0x00007f4a545bb591 in gssrpc_xdr_bytes (xdrs=0x7ffe2289ec80, cpp=0x8, sizep=0x0, maxsize=4294967295) at xdr.c:441
        sp = <optimized out>
        nodesize = <optimized out>
#1  0x00007f4a545d9599 in xdr_octet_string () at rpcgen/gss_proxy_xdr.c:18
#2  0x00007f4a545d95bd in xdr_gssx_buffer (xdrs=<optimized out>, objp=<optimized out>) at rpcgen/gss_proxy_xdr.c:44
#3  0x00007f4a545d9746 in xdr_gssx_name (xdrs=xdrs@entry=0x7ffe2289ec80, objp=objp@entry=0x0)
    at rpcgen/gss_proxy_xdr.c:186
#4  0x00007f4a545d97f6 in xdr_gssx_cred (xdrs=0x7ffe2289ec80, 
    xdrs@entry=<error reading variable: value has been optimized out>, objp=0x0, 
    objp@entry=<error reading variable: value has been optimized out>) at rpcgen/gss_proxy_xdr.c:225
#5  0x00007f4a545bb00b in gssrpc_xdr_free (proc=<optimized out>, objp=<optimized out>) at xdr.c:81

                  x = {x_op = XDR_FREE, x_ops = 0x7f4a545e3fac <gssi_init_sec_context+524>, x_public = 0xffffffff <error: Cannot access memory at address 0xffffffff>, x_private = 0x0, x_base = 0x0, x_handy = 978656736}
#6  0x00007f4a545e41bd in gssi_init_sec_context
    (minor_status=minor_status@entry=0x7ffe2289f1e8, claimant_cred_handle=claimant_cred_handle@entry=0x0, context_handle=0x55ef3a2c04b0, target_name=0x55ef3a435080, mech_type=0x55ef3a56bc90, req_flags=req_flags@entry=32, time_req=<optimized out>, input_cb=<optimized out>, input_token=<optimized out>, actual_mech_type=<optimized out>, output_token=<optimized out>, ret_flags=<optimized out>, time_rec=<optimized out>) at src/mechglue/gpp_init_sec_context.c:174
        behavior = <optimized out>
        ctx_handle = 0x55ef3a52f590
        cred_handle = 0x55ef3a3f37b0
        out_cred = 0x55ef3a421570
        tmaj = <optimized out>
        tmin = 0
        maj = 0
        min = 0
#7  0x00007f4ab23e1fe0 in gss_init_sec_context
    (minor_status=minor_status@entry=0x7ffe2289f1e8, claimant_cred_handle=claimant_cred_handle@entry=0x0, context_handle=context_handle@entry=0x55ef3a551da8, target_name=target_name@entry=0x55ef3a5506f0, req_mech_type=<optimized out>, req_flags=req_flags@entry=32, time_req=<optimized out>, input_chan_bindings=<optimized out>, input_token=<optimized out>, actual_mech_type=<optimized out>, output_token=<optimized out>, ret_flags=<optimized out>, time_rec=<optimized out>) at g_init_sec_context.c:211
        status = <optimized out>
        temp_minor_status = 32586
        union_name = 0x55ef3a5506f0
        union_cred = <optimized out>
        internal_name = 0x55ef3a435080
        union_ctx_id = 0x55ef3a2c04a0
        selected_mech = 0x55ef3a634210
        mech = 0x55ef3a633fb0
        input_cred_handle = 0x0
#8  0x00007f4ab2408351 in init_ctx_call_init
    (minor_status=minor_status@entry=0x7ffe2289f1e8, sc=sc@entry=0x55ef3a551d80, spcred=spcred@entry=0x0, acc_negState=acc_negState@entry=4294967295, target_name=target_name@entry=0x55ef3a5506f0, req_flags=req_flags@entry=0, time_req=<optimized out>, mechtok_in=<optimized out>, bindings=<optimized out>, mechtok_out=<optimized out>, time_rec=<optimized out>, send_token=<optimized out>) at spnego_mech.c:929
        ret = <optimized out>
        tmpret = <optimized out>
        tmpmin = 21999
        mech_req_flags = 32
        mcred = <optimized out>
#9  0x00007f4ab2409f16 in spnego_gss_init_sec_context
    (minor_status=minor_status@entry=0x7ffe2289f1e8, claimant_cred_handle=claimant_cred_handle@entry=0x0, context_hand--Type <RET> for more, q to quit, c to continue without paging--c
le=0x55ef3a3d97c0, target_name=0x55ef3a5506f0, mech_type=<optimized out>, req_flags=req_flags@entry=0, time_req=<optimized out>, bindings=<optimized out>, input_token=<optimized out>, actual_mech=<optimized out>, output_token=<optimized out>, ret_flags=<optimized out>, time_rec=<optimized out>) at spnego_mech.c:1087
        send_token = INIT_TOKEN_SEND
        tmpmin = 0
        ret = <optimized out>
        negState = 4294967295
        acc_negState = 4294967295
        mechtok_in = 0x0
        mechListMIC_in = 0x0
        mechListMIC_out = 0x0
        mechtok_out = {length = 631, value = 0x55ef3a66a710}
        spcred = 0x0
        spnego_ctx = 0x55ef3a551d80
#10 0x00007f4ab23e1fe0 in gss_init_sec_context (minor_status=minor_status@entry=0x7ffe2289f1e8, claimant_cred_handle=claimant_cred_handle@entry=0x0, context_handle=context_handle@entry=0x55ef3a34fea0, target_name=0x55ef3a613cf0, req_mech_type=req_mech_type@entry=0x7f4ab52211e0 <gss_mech_spnego>, req_flags=req_flags@entry=0, time_req=<optimized out>, input_chan_bindings=<optimized out>, input_token=<optimized out>, actual_mech_type=<optimized out>, output_token=<optimized out>, ret_flags=<optimized out>, time_rec=<optimized out>) at g_init_sec_context.c:211
        status = <optimized out>
        temp_minor_status = 0
        union_name = 0x55ef3a613cf0
        union_cred = <optimized out>
        internal_name = 0x55ef3a5506f0
        union_ctx_id = 0x55ef3a3d97b0
        selected_mech = 0x55ef3a63fc80
        mech = 0x55ef3a63fc80
        input_cred_handle = 0x0
#11 0x00007f4ab51aef88 in soup_gss_client_step (conn=conn@entry=0x55ef3a34fe90, challenge=challenge@entry=0x7f4ab52001d5 "", error_message=error_message@entry=0x7ffe2289f2f0) at ../libsoup/auth/soup-auth-negotiate.c:596
        maj_stat = <optimized out>
        min_stat = 0
        in = {length = 0, value = 0x0}
        out = {length = 0, value = 0x0}
        ret = 0
#12 0x00007f4ab51af5ac in soup_gss_build_response (conn=conn@entry=0x55ef3a34fe90, auth=<optimized out>, error_message=error_message@entry=0x7ffe2289f2f0) at ../libsoup/auth/soup-auth-negotiate.c:494
#13 0x00007f4ab51af86c in soup_auth_negotiate_update_connection (auth=0x7f48c0001a20 [SoupAuthNegotiate], msg=0x55ef3a345e60 [SoupMessage], header=<optimized out>, state=0x55ef3a34fe90) at ../libsoup/auth/soup-auth-negotiate.c:265
        success = 1
        conn = 0x55ef3a34fe90
        error_message = 0x0
        __func__ = "soup_auth_negotiate_update_connection"
#14 0x00007f4ab51b18d1 in soup_connection_auth_update (auth=0x7f48c0001a20 [SoupAuthNegotiate], msg=0x55ef3a345e60 [SoupMessage], auth_params=<optimized out>) at ../libsoup/auth/soup-connection-auth.c:153
        cauth = 0x7f48c0001a20 [SoupAuthNegotiate]
        conn = 0x55ef3a34fe90
        iter = {dummy1 = 0x55ef3a3cfd20, dummy2 = 0x7f48c0001a20, dummy3 = 0x7ffe2289f3d0, dummy4 = 8, dummy5 = 32586, dummy6 = 0x7f4a00000000}
        auth_header = 0x55ef3a3e6aa0
        key = 0x7ffe2289f3d0
        value = 0x7f4ab51ee6f0 <soup_str_case_hash+64>
        result = <optimized out>
#15 0x00007f4ab51a9b8a in soup_auth_new (type=<optimized out>, msg=msg@entry=0x55ef3a345e60 [SoupMessage], auth_header=<optimized out>) at ../libsoup/auth/soup-auth.c:291
        auth = 0x7f48c0001a20 [SoupAuthNegotiate]
        params = 0x55ef3a3cfd20
        scheme = 0x7f4ab51fe808 "Negotiate"
        uri = <optimized out>
        authority = <optimized out>
        __func__ = "soup_auth_new"
        priv = 0x7f48c0001a00
#16 0x00007f4ab51b04d8 in create_auth (priv=priv@entry=0x55ef39ecf540, msg=msg@entry=0x55ef3a345e60 [SoupMessage]) at ../libsoup/auth/soup-auth-manager.c:337
        j = 0
        header = 0x55ef3a3804d0 "Negotiate"
        auth_class = 0x55ef39f02790
        challenges = 0x55ef39f2a040
        auth = <optimized out>
        i = 3
#17 0x00007f4ab51b0f6b in auth_got_headers (msg=0x55ef3a345e60 [SoupMessage], manager=0x55ef39ecf570) at ../libsoup/auth/soup-auth-manager.c:632
        priv = 0x55ef39ecf540
        auth = <optimized out>
        prior_auth = <optimized out>
        prior_auth_failed = 0
#21 0x00007f4ab4f452e3 in <emit signal ??? on instance 0x55ef3a345e60 [SoupMessage]> (instance=<optimized out>, signal_id=<optimized out>, detail=detail@entry=0) at ../gobject/gsignal.c:3606
        var_args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7ffe2289f8d0, reg_save_area = 0x7ffe2289f810}}
    #18 0x00007f4ab4f294d2 in g_closure_invoke (closure=0x55ef3a60a5b0, return_value=return_value@entry=0x0, n_param_values=1, param_values=param_values@entry=0x7ffe2289f670, invocation_hint=invocation_hint@entry=0x7ffe2289f5f0) at ../gobject/gclosure.c:832
                marshal = 0x7f4ab51e7e90 <status_handler_metamarshal>
                marshal_data = 0x191
                in_marshal = 0
                real_closure = 0x55ef3a60a590
                __func__ = "g_closure_invoke"
    #19 0x00007f4ab4f3e1a8 in signal_emit_unlocked_R (node=node@entry=0x55ef3a342010, detail=detail@entry=0, instance=instance@entry=0x55ef3a345e60, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffe2289f670) at ../gobject/gsignal.c:3796
                tmp = <optimized out>
                handler = 0x55ef3a400600
                accumulator = 0x0
                emission = {next = 0x0, instance = 0x55ef3a345e60, ihint = {signal_id = 32, detail = 0, run_type = (G_SIGNAL_RUN_FIRST | G_SIGNAL_ACCUMULATOR_FIRST_RUN)}, state = EMISSION_RUN, chain_type = 0x4 [void]}
                hlist = <optimized out>
                handler_list = 0x55ef3a380ec0
                return_accu = 0x0
                accu = {g_type = 0x0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                signal_id = 32
                max_sequential_handler_number = 10223
                return_value_altered = <optimized out>
    #20 0x00007f4ab4f45115 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7ffe2289f7f0) at ../gobject/gsignal.c:3549
                instance_and_params = 0x7ffe2289f670
                signal_return_type = <optimized out>
                param_values = 0x7ffe2289f688
                node = <optimized out>
                i = <optimized out>
                n_params = <optimized out>
                __func__ = "g_signal_emit_valist"
#22 0x00007f4ab51e8943 in soup_message_got_headers (msg=<optimized out>) at ../libsoup/soup-message.c:1212
#23 0x00007f4ab51c6408 in on_frame_recv_callback (session=<optimized out>, frame=0x55ef3a579208, user_data=0x55ef3a501f80) at ../libsoup/http2/soup-client-message-io-http2.c:731
        status = 401
        io = 0x55ef3a501f80
        data = 0x55ef3a435aa0
        __func__ = "on_frame_recv_callback"
#24 0x00007f4ab23acd67 in session_call_on_frame_received (frame=0x55ef3a579208, session=0x55ef3a578f30) at ../../lib/nghttp2_session.c:3658
        rv = <optimized out>
        rv = <optimized out>
        frame = 0x55ef3a579208
        stream = 0x55ef3a37bea0
        __PRETTY_FUNCTION__ = "session_after_header_block_received"
        data_readlen = <optimized out>
        trail_padlen = <optimized out>
        final = <optimized out>
        first = <optimized out>
        last = <optimized out>
        iframe = 0x55ef3a579208
        readlen = 1347
        padlen = <optimized out>
        rv = <optimized out>
        busy = 0
        cont_hd = {length = 140729477888544, stream_id = 1683520941, type = 74 'J', flags = 127 '\177', reserved = 0 '\000'}
        stream = <optimized out>
        pri_fieldlen = <optimized out>
        mem = 0x55ef3a579910
        __PRETTY_FUNCTION__ = "nghttp2_session_mem_recv"
#25 session_after_header_block_received (session=0x55ef3a578f30) at ../../lib/nghttp2_session.c:4180
        rv = <optimized out>
        frame = 0x55ef3a579208
        stream = 0x55ef3a37bea0
        __PRETTY_FUNCTION__ = "session_after_header_block_received"
        data_readlen = <optimized out>
        trail_padlen = <optimized out>
        final = <optimized out>
        first = <optimized out>
        last = <optimized out>
        iframe = 0x55ef3a579208
        readlen = 1347
        padlen = <optimized out>
        rv = <optimized out>
        busy = 0
        cont_hd = {length = 140729477888544, stream_id = 1683520941, type = 74 'J', flags = 127 '\177', reserved = 0 '\000'}
        stream = <optimized out>
        pri_fieldlen = <optimized out>
        mem = 0x55ef3a579910
        __PRETTY_FUNCTION__ = "nghttp2_session_mem_recv"
#26 nghttp2_session_mem_recv (session=0x55ef3a578f30, in=0x7ffe2289ffac "", in@entry=0x7ffe2289fa60 "", inlen=inlen@entry=2017) at ../../lib/nghttp2_session.c:6823
        data_readlen = <optimized out>
        trail_padlen = <optimized out>
        final = <optimized out>
        first = <optimized out>
        last = <optimized out>
        iframe = 0x55ef3a579208
        readlen = 1347
        padlen = <optimized out>
        rv = <optimized out>
        busy = 0
        cont_hd = {length = 140729477888544, stream_id = 1683520941, type = 74 'J', flags = 127 '\177', reserved = 0 '\000'}
        stream = <optimized out>
        pri_fieldlen = <optimized out>
        mem = 0x55ef3a579910
        __PRETTY_FUNCTION__ = "nghttp2_session_mem_recv"
#27 0x00007f4ab51c50a5 in io_read (io=0x55ef3a501f80, blocking=<optimized out>, cancellable=0x0, error=0x7ffe228a1ab0) at ../libsoup/http2/soup-client-message-io-http2.c:411
        buffer = "\000\005C\001\004\000\000\000\001 H\003\064\060\061v\204\252cU\347a\226\337=\277J\005\225\065\021*\b\002\022\201r\340\031\270\310Tţ\177_\221I|\245\211\323M\037d\234v \251\203\206\374+=\\\003\066\065\062\000\211 \311\071V!\352M\207\243\232\250\353!'\260\277JSj\022\265\205\356:\r \322_\245)\037\225\207\061`\a\000\207AR\261\016~\246/⇆\374qn\301\273vMZb\311~\002\216VI\033\201Z6]\225f\204\310\326\031^mg$\fo2F\236i\247\027@\276\324\342[\020c\325\000~\324\326\064\317\003\003\265\063\261aGE(c\005\065\320\177E.K\372\330\373Sp\351.\343$\260i=E\373S"...
        read = 2017
        ret = <optimized out>
        __func__ = "io_read"
#28 0x00007f4ab51c52b0 in io_read_ready (stream=<optimized out>, io=0x55ef3a501f80) at ../libsoup/http2/soup-client-message-io-http2.c:437
        error = 0x0
        progress = <optimized out>
        conn = 0x55ef3a34a210 [SoupConnection]
#29 0x00007f4ab4e2c661 in g_main_dispatch (context=<optimized out>) at ../glib/gmain.c:3444
        dispatch = 0x7f4ab5024820 <pollable_source_dispatch>
        prev_source = 0x0
        begin_time_nsec = 8785558435284
        was_in_call = 0
        user_data = 0x55ef3a501f80
        callback = 0x7f4ab51c5200 <io_read_ready>
        cb_funcs = 0x7f4ab4f102c0 <g_source_callback_funcs>
        cb_data = 0x55ef3a420bd0
        need_destroy = <optimized out>
        source = 0x55ef3a56f490
        current = 0x55ef39eeba20
        i = 3
        __func__ = "g_main_dispatch"
#30 g_main_context_dispatch (context=<optimized out>) at ../glib/gmain.c:4162
#31 0x00007f4ab4e2cbb8 in g_main_context_iterate (context=0x55ef39ec9780, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4238
        max_priority = 2147483647
        timeout = 540
        some_ready = 1
        nfds = 15
        allocated_nfds = <optimized out>
        fds = <optimized out>
        begin_time_nsec = 8785504442538
#32 0x00007f4ab4e2ce9f in g_main_loop_run (loop=0x55ef39eca930) at ../glib/gmain.c:4438
        __func__ = "g_main_loop_run"
#33 0x00007f4ab83e8eb0 in WTF::RunLoop::run() () at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
        runLoop = @0x7f4aa80100e0: {<WTF::FunctionDispatcher> = {_vptr.FunctionDispatcher = 0x7f4ab87c79f0 <vtable for WTF::RunLoop+16>}, <WTF::ThreadSafeRefCounted<WTF::RunLoop, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = std::atomic<unsigned int> = { 14 }}, <No data fields>}, m_currentIteration = {m_start = 1, m_end = 1, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x7f4aa8307e00, m_capacity = 16, m_size = 0}, <No data fields>}}, m_nextIterationLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = std::atomic<unsigned char> = { 0 '\000' }}}, m_nextIteration = {m_start = 0, m_end = 0, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}}, m_isFunctionDispatchSuspended = false, m_hasSuspendedFunctions = false, static s_runLoopSourceFunctions = {prepare = 0x0, check = 0x0, dispatch = 0x7f4ab83e8cf0 <_FUN(GSource*, GSourceFunc, gpointer)>, finalize = 0x0, closure_callback = 0x0, closure_marshal = 0x0}, m_mainContext = {m_ptr = 0x55ef39ec9780}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop>, WTF::FastMalloc>> = {m_buffer = 0x7f4aa8008180, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x55ef39eca950}, m_observers = {m_set = {m_impl = {{m_table = 0x0, m_tableForLLDB = 0x0}}}}}
        mainContext = 0x55ef39ec9780
        innermostLoop = 0x55ef39eca930
        nestedMainLoop = <optimized out>
#34 0x00007f4ab9433430 in WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run(int, char**) (argc=3, argv=0x7ffe228a1e58, this=0x7ffe228a1cb0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:71
        auxiliaryMain = {m_storage = {__data = "\340\313M\274J\177", '\000' <repeats 26 times>, "\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\f", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\300\000\003\250J\177\000", __align = {<No data fields>}}}
#35 WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run(int, char**) (argv=0x7ffe228a1e58, argc=3, this=0x7ffe228a1cb0) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:58
        auxiliaryMain = {m_storage = {__data = "\340\313M\274J\177", '\000' <repeats 26 times>, "\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\f", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\300\000\003\250J\177\000", __align = {<No data fields>}}}
#36 WebKit::AuxiliaryProcessMain<WebKit::NetworkProcessMainSoup>(int, char**) (argc=3, argv=0x7ffe228a1e58) at /usr/lib/debug/source/sdk/webkit2gtk-5.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:97
        auxiliaryMain = {m_storage = {__data = "\340\313M\274J\177", '\000' <repeats 26 times>, "\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\f", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\300\000\003\250J\177\000", __align = {<No data fields>}}}
#37 0x00007f4ab886154a in __libc_start_call_main (main=main@entry=0x55ef3878b060 <main>, argc=argc@entry=3, argv=argv@entry=0x7ffe228a1e58) at ../sysdeps/nptl/libc_start_call_main.h:58
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140729477897816, -4170227206851225090, 3, 0, 94485932989840, 139958966870016, -4170227206836545026, -4086642367529707010}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x3, 0x7ffe228a1e50}, data = {prev = 0x0, cleanup = 0x0, canceltype = 3}}}
        not_first_call = <optimized out>
#38 0x00007f4ab886160b in __libc_start_main_impl (main=0x55ef3878b060 <main>, argc=3, argv=0x7ffe228a1e58, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>) at ../csu/libc-start.c:389
#39 0x000055ef3878b095 in _start ()

[mcatanzaro]

Is it bad to call xdr_gssx_cred() with objp=0x0?

[simo5]

Unfortunately it is:

bool_t
xdr_gssx_cred (XDR *xdrs, gssx_cred *objp)
{
         if (!xdr_gssx_name (xdrs, &objp->desired_name))
[..]

Instacrash

[simo5]

The problem is that I do not see how you can have that credential be 0.
The code returns something in there only if it was successful in populating a credential structure. See return_new_cred_handle() if curious.

[simo5]

I guess valgrind could help here maybe?
I see a complex code path to find out if cred->remote could actually be 0..
Although I also see a possible "easy" fix that will paper over and avoid calling xdr_free() if cred_handle->remote is NULL ...

[simo5]

See cred_handle->remote could be 0 if gppint_get_def_creds() fails, which can conceivably happen in your case.

[simo5]

Any chance you can test PR#68 in the environment where you reproduce this?

[mcatanzaro]

Any chance you can test PR#68 in the environment where you reproduce this?

Added to GNOME runtime

[mcatanzaro]

Well the updated GNOME runtime built successfully, but unfortunately I can no longer reproduce the crash today. :( I'm no longer crashing with the old runtime version.

[simo5]

Awesome...

Well, we can keep this PR here for a little longer, on the offchance you can reproduce.
If not I'll merge as is, it breaks nothing and can handle some odd cases.