From ab69b71fcf9187269058b4e1ff7b394cc37f19da Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 26 Feb 2015 15:49:59 -0500 Subject: Properly handle security contexts on error On error we need to make sure we do not return a pointer to a security context that may have been already freed. So make sure to always unconditionally return the context that we've been returned by our callees. Also reorganize the code so we do not accidently wipe the context and leak memoy on error. This fixed a double-free bug found by NFS folks @ Red Hat Fixes: https://fedorahosted.org/gss-proxy/ticket/137 Signed-off-by: Simo Sorce Reviewed-by: Nathaniel McCallum --- proxy/src/client/gpm_init_sec_context.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'proxy/src/client/gpm_init_sec_context.c') diff --git a/proxy/src/client/gpm_init_sec_context.c b/proxy/src/client/gpm_init_sec_context.c index bd88055..14c65e4 100644 --- a/proxy/src/client/gpm_init_sec_context.c +++ b/proxy/src/client/gpm_init_sec_context.c @@ -137,12 +137,6 @@ done: gpm_free_xdrs(GSSX_INIT_SEC_CONTEXT, &uarg, &ures); if (ret_maj == GSS_S_COMPLETE || ret_maj == GSS_S_CONTINUE_NEEDED) { - /* replace old ctx handle if any */ - if (*context_handle) { - xdr_free((xdrproc_t)xdr_gssx_ctx, (char *)*context_handle); - free(*context_handle); - } - *context_handle = ctx; if (actual_mech_type) { *actual_mech_type = mech; } @@ -171,6 +165,13 @@ done: } } + /* always replace old ctx handle and set new */ + if (*context_handle) { + xdr_free((xdrproc_t)xdr_gssx_ctx, (char *)*context_handle); + free(*context_handle); + } + *context_handle = ctx; + *minor_status = ret_min; return ret_maj; } -- cgit