diff options
| author | Tom Yu <tlyu@mit.edu> | 2004-06-16 02:37:23 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2004-06-16 02:37:23 +0000 |
| commit | 2584d8a1f09cc0bf93708474c11a3012bedac42b (patch) | |
| tree | 6445edddaad24d181ea1fee3b3866dbe43609f2e /src/lib/gssapi | |
| parent | f750aa8aba04a8853225b35cd256506056bb8be8 (diff) | |
| download | krb5-2584d8a1f09cc0bf93708474c11a3012bedac42b.tar.gz krb5-2584d8a1f09cc0bf93708474c11a3012bedac42b.tar.xz krb5-2584d8a1f09cc0bf93708474c11a3012bedac42b.zip | |
ok, let's try this again..
* accept_sec_context.c (krb5_gss_accept_sec_context): Only null
out the auth_context's rcache if it was provided by acceptor
creds; this prevents a leak.
* delete_sec_context.c (krb5_gss_delete_sec_context): Only null
out the auth_context's rcache if it was provided by acceptor
creds; this prevents a leak.
* gssapiP_krb5.h (krb5_gss_ctx_id_rec): Add cred_rcache to track
whether acceptor creds provided an rcache.
ticket: 2600
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16465 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi')
| -rw-r--r-- | src/lib/gssapi/krb5/ChangeLog | 13 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 7 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/delete_sec_context.c | 4 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 1 |
4 files changed, 21 insertions, 4 deletions
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 84fb45606..786a4164a 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,16 @@ +2004-06-15 Tom Yu <tlyu@mit.edu> + + * accept_sec_context.c (krb5_gss_accept_sec_context): Only null + out the auth_context's rcache if it was provided by acceptor + creds; this prevents a leak. + + * delete_sec_context.c (krb5_gss_delete_sec_context): Only null + out the auth_context's rcache if it was provided by acceptor + creds; this prevents a leak. + + * gssapiP_krb5.h (krb5_gss_ctx_id_rec): Add cred_rcache to track + whether acceptor creds provided an rcache. + 2004-06-14 Tom Yu <tlyu@mit.edu> * init_sec_context.c (krb5_gss_init_sec_context): Fix pointer diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 77ab8df1e..2b7d8494c 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -249,7 +249,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, gss_cred_id_t cred_handle = NULL; krb5_gss_cred_id_t deleg_cred = NULL; krb5int_access kaccess; - int got_rcache = 0; + int cred_rcache = 0; code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); if (code) { @@ -383,7 +383,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, goto fail; } if (cred->rcache) { - got_rcache = 1; + cred_rcache = 1; if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { major_status = GSS_S_FAILURE; goto fail; @@ -612,6 +612,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); ctx->seed_init = 0; ctx->big_endian = bigend; + ctx->cred_rcache = cred_rcache; /* Intern the ctx pointer so that delete_sec_context works */ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { @@ -879,7 +880,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, krb5_free_authenticator(context, authdat); /* The ctx structure has the handle of the auth_context */ if (auth_context && !ctx) { - if (!got_rcache) + if (cred_rcache) (void)krb5_auth_con_setrcache(context, auth_context, NULL); krb5_auth_con_free(context, auth_context); diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c index 3d4706808..be91cd078 100644 --- a/src/lib/gssapi/krb5/delete_sec_context.c +++ b/src/lib/gssapi/krb5/delete_sec_context.c @@ -94,7 +94,9 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token) krb5_free_keyblock(context, ctx->acceptor_subkey); if (ctx->auth_context) { - (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL); + if (ctx->cred_rcache) + (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL); + krb5_auth_con_free(context, ctx->auth_context); } diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index b5a24960e..5b1394a29 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -192,6 +192,7 @@ typedef struct _krb5_gss_ctx_id_rec { krb5_cksumtype cksumtype; /* for "main" subkey */ krb5_keyblock *acceptor_subkey; /* CFX only */ krb5_cksumtype acceptor_subkey_cksumtype; + int cred_rcache; /* did we get rcache from creds? */ } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t; extern g_set kg_vdb; |