There are two mutex locking issues that Roland Dowdeswell noticed in

the memory ccache.  The first one is in cc_memory.c:krb5_mcc_initialize(). 
When it is free(3)ing the existing credentials it does not lock the 
data structures and hence two separate threads can run into issues.

The same problem exists in cc_memory.c:krb5_mcc_destroy().

ticket: 5895
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20555 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 13 insertions, 0 deletions

diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c
index d5c0493ba..3427c7582 100644
--- a/src/lib/krb5/ccache/cc_memory.c
+++ b/src/lib/krb5/ccache/cc_memory.c
@@ -139,10 +139,18 @@ krb5_error_code KRB5_CALLCONV
 krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ)
 {
     krb5_error_code ret; 
+    krb5_mcc_data *d;
+
+    d = (krb5_mcc_data *)id->data;
+    ret = k5_mutex_lock(&d->lock);
+    if (ret)
+        return ret;
 
     krb5_mcc_free(context, id);
     ret = krb5_copy_principal(context, princ,
 			      &((krb5_mcc_data *)id->data)->prin);
+
+    k5_mutex_unlock(&d->lock);
     if (ret == KRB5_OK)
         krb5_change_cache();
     return ret;
@@ -209,8 +217,13 @@ krb5_mcc_destroy(krb5_context context, krb5_ccache id)
     }
     k5_mutex_unlock(&krb5int_mcc_mutex);
 
+    err = k5_mutex_lock(&d->lock);
+    if (err)
+        return err;
+
     krb5_mcc_free(context, id);
     krb5_xfree(d->name);
+    k5_mutex_unlock(&d->lock);
     k5_mutex_destroy(&d->lock);
     krb5_xfree(d); 
     krb5_xfree(id);