Hi, In ssh_krl_from_blob(), krl.c:984, /* Record keys used to sign the KRL */ xrealloc(ca_used, nca_used + 1, sizeof(*ca_used)); ca_used[nca_used++] = key; The result of `xrealloc' is never assigned to `ca_used', which remains a null pointer. Will ca_used[...] crash?. Did I miss anything? Thanks. - xi