diff options
author | Tomas Kuthan <tkuthan@gmail.com> | 2014-03-26 17:04:30 +0100 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2014-03-27 11:42:11 -0400 |
commit | b24c362f0589a6212f2f544263bdb76e0988c582 (patch) | |
tree | 4d07a9f882eee3f9e5e999d191430804cddf461d | |
parent | 54c97cd0c435f78880d80541a20cf7f08928705d (diff) | |
download | krb5-b24c362f0589a6212f2f544263bdb76e0988c582.tar.gz krb5-b24c362f0589a6212f2f544263bdb76e0988c582.tar.xz krb5-b24c362f0589a6212f2f544263bdb76e0988c582.zip |
Don't free cred handle used in kadm5 server handle
At the end of setup_gss(), gss_client_creds is released, but an alias
to the credential handle is saved in kadm5_server_handle_t in
handle->clnt->cl_auth->(struct rpc_gss_data *)ah_private->sec.cred.
Accessing these credentials (by authgss_refresh) can result in use
after free.
This fix stores credential reference in server handle and releases
the credentials in kadm5_destroy.
[ghudson@mit.edu: initialize handle->cred to correct constant; get rid
of gss_client_creds variable; clarify commit message slightly]
ticket: 7891 (new)
-rw-r--r-- | src/lib/kadm5/clnt/client_init.c | 13 | ||||
-rw-r--r-- | src/lib/kadm5/clnt/client_internal.h | 1 |
2 files changed, 7 insertions, 7 deletions
diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c index 211bb555d..48d93882a 100644 --- a/src/lib/kadm5/clnt/client_init.c +++ b/src/lib/kadm5/clnt/client_init.c @@ -193,6 +193,7 @@ init_any(krb5_context context, char *client_name, enum init_type init_type, handle->cache_name = 0; handle->destroy_cache = 0; handle->context = 0; + handle->cred = GSS_C_NO_CREDENTIAL; *handle->lhandle = *handle; handle->lhandle->api_version = KADM5_API_VERSION_4; handle->lhandle->struct_version = KADM5_STRUCT_VERSION; @@ -577,11 +578,9 @@ setup_gss(kadm5_server_handle_t handle, kadm5_config_params *params_in, gss_buffer_desc buf; gss_name_t gss_client; gss_name_t gss_target; - gss_cred_id_t gss_client_creds; const char *c_ccname_orig; char *ccname_orig; - gss_client_creds = GSS_C_NO_CREDENTIAL; ccname_orig = NULL; gss_client = gss_target = GSS_C_NO_NAME; @@ -614,7 +613,7 @@ setup_gss(kadm5_server_handle_t handle, kadm5_config_params *params_in, gssstat = gss_acquire_cred(&minor_stat, gss_client, 0, GSS_C_NULL_OID_SET, GSS_C_INITIATE, - &gss_client_creds, NULL, NULL); + &handle->cred, NULL, NULL); if (gssstat != GSS_S_COMPLETE) { #if 0 /* for debugging only */ { @@ -667,12 +666,9 @@ setup_gss(kadm5_server_handle_t handle, kadm5_config_params *params_in, * Do actual creation of RPC auth handle. Implements auth flavor * fallback. */ - rpc_auth(handle, params_in, gss_client_creds, gss_target); + rpc_auth(handle, params_in, handle->cred, gss_target); error: - if (gss_client_creds != GSS_C_NO_CREDENTIAL) - (void) gss_release_cred(&minor_stat, &gss_client_creds); - if (gss_client) gss_release_name(&minor_stat, &gss_client); if (gss_target) @@ -743,6 +739,7 @@ rpc_auth(kadm5_server_handle_t handle, kadm5_config_params *params_in, kadm5_ret_t kadm5_destroy(void *server_handle) { + OM_uint32 minor_stat; krb5_ccache ccache = NULL; int code = KADM5_OK; kadm5_server_handle_t handle = @@ -757,6 +754,8 @@ kadm5_destroy(void *server_handle) } if (handle->cache_name) free(handle->cache_name); + if (handle->cred) + (void)gss_release_cred(&minor_stat, &handle->cred); if (handle->clnt && handle->clnt->cl_auth) AUTH_DESTROY(handle->clnt->cl_auth); if (handle->clnt) diff --git a/src/lib/kadm5/clnt/client_internal.h b/src/lib/kadm5/clnt/client_internal.h index 6ee8eea23..fca7a7dc7 100644 --- a/src/lib/kadm5/clnt/client_internal.h +++ b/src/lib/kadm5/clnt/client_internal.h @@ -74,6 +74,7 @@ typedef struct _kadm5_server_handle_t { CLIENT * clnt; int client_socket; krb5_context context; + gss_cred_id_t cred; kadm5_config_params params; struct _kadm5_server_handle_t *lhandle; } kadm5_server_handle_rec, *kadm5_server_handle_t; |