diff options
| author | Tom Yu <tlyu@mit.edu> | 2004-08-17 23:57:16 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2004-08-17 23:57:16 +0000 |
| commit | 6ecd93648f210e43bc4214fbd626a6b93d0e6db3 (patch) | |
| tree | f6c822b1526fbfb2194853b79a047ae0eb69e39d /src | |
| parent | b6f896d46dc824de8895c3606e1f6e84cf23ae6f (diff) | |
| download | krb5-6ecd93648f210e43bc4214fbd626a6b93d0e6db3.tar.gz krb5-6ecd93648f210e43bc4214fbd626a6b93d0e6db3.tar.xz krb5-6ecd93648f210e43bc4214fbd626a6b93d0e6db3.zip | |
* svc.c (svc_getreqset): Allocate cred and verf memory to
temporary pointers, and free the temporary pointers on exit.
Freeing the actual cred and verf pointers can cause corruption
because auth mechanisms can reassign the pointers.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16669 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/rpc/ChangeLog | 7 | ||||
| -rw-r--r-- | src/lib/rpc/svc.c | 20 |
2 files changed, 21 insertions, 6 deletions
diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index f58e800985..1e90d7fdaa 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,10 @@ +2004-08-17 Tom Yu <tlyu@mit.edu> + + * svc.c (svc_getreqset): Allocate cred and verf memory to + temporary pointers, and free the temporary pointers on exit. + Freeing the actual cred and verf pointers can cause corruption + because auth mechanisms can reassign the pointers. + 2004-08-16 Tom Yu <tlyu@mit.edu> * svc_auth_gss.c (gssrpc__svcauth_gss): Add some debug messages. diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index e7f3243cfa..ac69df48f1 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -420,10 +420,18 @@ svc_getreqset(readfds) register SVCXPRT *xprt; register int sock; bool_t no_dispatch; + caddr_t rawcred, rawverf, cookedcred; - msg.rm_call.cb_cred.oa_base = mem_alloc(MAX_AUTH_BYTES); - msg.rm_call.cb_verf.oa_base = mem_alloc(MAX_AUTH_BYTES); - r.rq_clntcred = mem_alloc(RQCRED_SIZE); + rawcred = mem_alloc(MAX_AUTH_BYTES); + rawverf = mem_alloc(MAX_AUTH_BYTES); + cookedcred = mem_alloc(RQCRED_SIZE); + + if (rawcred == NULL || rawverf == NULL || cookedcred == NULL) + return; + + msg.rm_call.cb_cred.oa_base = rawcred; + msg.rm_call.cb_verf.oa_base = rawverf; + r.rq_clntcred = cookedcred; #ifdef FD_SETSIZE for (sock = 0; sock <= max_xport; sock++) { @@ -497,7 +505,7 @@ svc_getreqset(readfds) } while (stat == XPRT_MOREREQS); } } - mem_free(msg.rm_call.cb_cred.oa_base, MAX_AUTH_BYTES); - mem_free(msg.rm_call.cb_verf.oa_base, MAX_AUTH_BYTES); - mem_free(r.rq_clntcred, RQCRED_SIZE); + mem_free(rawcred, MAX_AUTH_BYTES); + mem_free(rawverf, MAX_AUTH_BYTES); + mem_free(cookedcred, RQCRED_SIZE); } |