diff options
author | Simo Sorce <simo@redhat.com> | 2015-02-26 15:49:59 -0500 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-03-24 11:49:25 -0400 |
commit | ab69b71fcf9187269058b4e1ff7b394cc37f19da (patch) | |
tree | be7d8e110a179b59bf6895d27994df649ae32453 /proxy/src/client/gpm_init_sec_context.c | |
parent | 8c09bbb82f3578401a0dbd0c64ca36c8483295fb (diff) | |
download | gss-proxy-ab69b71fcf9187269058b4e1ff7b394cc37f19da.tar.gz gss-proxy-ab69b71fcf9187269058b4e1ff7b394cc37f19da.tar.xz gss-proxy-ab69b71fcf9187269058b4e1ff7b394cc37f19da.zip |
Properly handle security contexts on error
On error we need to make sure we do not return a pointer to a
security context that may have been already freed.
So make sure to always unconditionally return the context that we've
been returned by our callees.
Also reorganize the code so we do not accidently wipe the context
and leak memoy on error.
This fixed a double-free bug found by NFS folks @ Red Hat
Fixes: https://fedorahosted.org/gss-proxy/ticket/137
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
Diffstat (limited to 'proxy/src/client/gpm_init_sec_context.c')
-rw-r--r-- | proxy/src/client/gpm_init_sec_context.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/proxy/src/client/gpm_init_sec_context.c b/proxy/src/client/gpm_init_sec_context.c index bd88055..14c65e4 100644 --- a/proxy/src/client/gpm_init_sec_context.c +++ b/proxy/src/client/gpm_init_sec_context.c @@ -137,12 +137,6 @@ done: gpm_free_xdrs(GSSX_INIT_SEC_CONTEXT, &uarg, &ures); if (ret_maj == GSS_S_COMPLETE || ret_maj == GSS_S_CONTINUE_NEEDED) { - /* replace old ctx handle if any */ - if (*context_handle) { - xdr_free((xdrproc_t)xdr_gssx_ctx, (char *)*context_handle); - free(*context_handle); - } - *context_handle = ctx; if (actual_mech_type) { *actual_mech_type = mech; } @@ -171,6 +165,13 @@ done: } } + /* always replace old ctx handle and set new */ + if (*context_handle) { + xdr_free((xdrproc_t)xdr_gssx_ctx, (char *)*context_handle); + free(*context_handle); + } + *context_handle = ctx; + *minor_status = ret_min; return ret_maj; } |