Fix KDB iteration when callback does write calls

kdb_db2's ctx_iterate makes an convenience alias to dbc->db in order
to call more invoke call the DB's seq method.  This alias may become
invalidated if the callback writes to the DB, since ctx_lock() may
re-open the DB in order to acquire a write lock.  Fix the bug by
getting rid of the convenience alias.

Most KDB iteration operations in the code base do not write to the DB,
but kdb5_util update_princ_encryption does.

Bug discovered and diagnosed by will.fiveash@oracle.com.

ticket: 7096
target_version: 1.10.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25723 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 2 insertions, 4 deletions

diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index f63b12e05..e85ce4be1 100644
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -940,7 +940,6 @@ ctx_iterate(krb5_context context, krb5_db2_context *dbc,
             krb5_error_code (*func)(krb5_pointer, krb5_db_entry *),
             krb5_pointer func_arg)
 {
-    DB *db;
     DBT key, contents;
     krb5_data contdata;
     krb5_db_entry *entry;
@@ -951,8 +950,7 @@ ctx_iterate(krb5_context context, krb5_db2_context *dbc,
     if (retval)
         return retval;
 
-    db = dbc->db;
-    dbret = db->seq(db, &key, &contents, R_FIRST);
+    dbret = dbc->db->seq(dbc->db, &key, &contents, R_FIRST);
     while (dbret == 0) {
         contdata.data = contents.data;
         contdata.length = contents.size;
@@ -974,7 +972,7 @@ ctx_iterate(krb5_context context, krb5_db2_context *dbc,
             retval = retval2;
             break;
         }
-        dbret = db->seq(db, &key, &contents, R_NEXT);
+        dbret = dbc->db->seq(dbc->db, &key, &contents, R_NEXT);
     }
     switch (dbret) {
     case 1: