diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-12 19:23:48 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-10-03 13:44:13 +0200 |
| commit | 052684f1ab1c8a4fcfb2c9057c33273acbaf660e (patch) | |
| tree | 9cbb6c5004e16f90188b5495204b2ce0773453ab /src/providers/krb5/krb5_auth.c | |
| parent | b196e1e91ec04ca5af93bfd2dcfc5225f4858a54 (diff) | |
| download | sssd-052684f1ab1c8a4fcfb2c9057c33273acbaf660e.tar.gz sssd-052684f1ab1c8a4fcfb2c9057c33273acbaf660e.tar.xz sssd-052684f1ab1c8a4fcfb2c9057c33273acbaf660e.zip | |
FO: Check server validity before setting statussssd-1_8_5
The list of resolved servers is allocated on the back end context and
kept in the fo_service structure. However, a single request often
resolves a server and keeps a pointer until the end of a request and
only then gives feedback about the server based on the request result.
This presents a big race condition in case the SRV resolution is used.
When there are requests coming in in parallel, it is possible that an
incoming request will invalidate a server until another request that
holds a pointer to the original server is able to give a feedback.
This patch simply checks if a server is in the list of servers
maintained by a service before reading its status.
https://fedorahosted.org/sssd/ticket/1364
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
| -rw-r--r-- | src/providers/krb5/krb5_auth.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 34bc5641b..83dcfae82 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -882,6 +882,7 @@ static void krb5_child_done(struct tevent_req *subreq) /* ..which is unreachable by now.. */ if (msg_status == PAM_AUTHTOK_LOCK_BUSY) { be_fo_set_port_status(state->be_ctx, + state->krb5_ctx->service->name, kr->kpasswd_srv, PORT_NOT_WORKING); /* ..try to resolve next kpasswd server */ if (krb5_next_kpasswd(req) == NULL) { @@ -890,6 +891,7 @@ static void krb5_child_done(struct tevent_req *subreq) return; } else { be_fo_set_port_status(state->be_ctx, + state->krb5_ctx->service->name, kr->kpasswd_srv, PORT_WORKING); } } @@ -900,7 +902,8 @@ static void krb5_child_done(struct tevent_req *subreq) if (msg_status == PAM_AUTHINFO_UNAVAIL || (kr->kpasswd_srv == NULL && msg_status == PAM_AUTHTOK_LOCK_BUSY)) { if (kr->srv != NULL) { - be_fo_set_port_status(state->be_ctx, kr->srv, PORT_NOT_WORKING); + be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, + kr->srv, PORT_NOT_WORKING); /* ..try to resolve next KDC */ if (krb5_next_kdc(req) == NULL) { tevent_req_error(req, ENOMEM); @@ -908,7 +911,8 @@ static void krb5_child_done(struct tevent_req *subreq) return; } } else if (kr->srv != NULL) { - be_fo_set_port_status(state->be_ctx, kr->srv, PORT_WORKING); + be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, + kr->srv, PORT_WORKING); } /* Now only a successful authentication or password change is left. @@ -971,19 +975,19 @@ static struct tevent_req *krb5_next_server(struct tevent_req *req) switch (pd->cmd) { case SSS_PAM_AUTHENTICATE: case SSS_CMD_RENEW: - be_fo_set_port_status(state->be_ctx, + be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, state->kr->srv, PORT_NOT_WORKING); next_req = krb5_next_kdc(req); break; case SSS_PAM_CHAUTHTOK: case SSS_PAM_CHAUTHTOK_PRELIM: if (state->kr->kpasswd_srv) { - be_fo_set_port_status(state->be_ctx, + be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, state->kr->kpasswd_srv, PORT_NOT_WORKING); next_req = krb5_next_kpasswd(req); break; } else { - be_fo_set_port_status(state->be_ctx, + be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, state->kr->srv, PORT_NOT_WORKING); next_req = krb5_next_kdc(req); break; |