diff options
| author | Tom Yu <tlyu@mit.edu> | 2007-04-25 21:19:07 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2007-04-25 21:19:07 +0000 |
| commit | 220799ba475ec8044fedf544c15fab34d090b3a1 (patch) | |
| tree | 8700fed494d8777a7bf28cc5ad6db5731ba44e81 /src/lib | |
| parent | d6658915d06df1f90191b2ff12c7c4a61ab0e47e (diff) | |
| download | krb5-220799ba475ec8044fedf544c15fab34d090b3a1.tar.gz krb5-220799ba475ec8044fedf544c15fab34d090b3a1.tar.xz krb5-220799ba475ec8044fedf544c15fab34d090b3a1.zip | |
race condition in referrals fallback
* src/lib/krb5/krb/gc_frm_kdc.c (krb5_get_cred_from_kdc_opt):
During referrals fallback, set *tgts to NULL after freeing. This
avoids returning a pointer to freed memory when the first call to
do_traversal() obtains some TGTs and the subsequent
krb5_cc_retrieve_cred() of the final-hop TGT succeeds (due to some
other thread or process storing that TGT into the ccache), causing
second do_traversal() call (which would re-initialize *tgts) to
not execute. Race condition found during KfW-3.2 testing.
ticket: new
target_version: 1.6.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19526 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/krb5/krb/gc_frm_kdc.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index 4890bad50..5b9d3917a 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -1043,6 +1043,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_free_creds(context, (*tgts)[i]); } free(*tgts); + *tgts = NULL; } context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS, |