From 4cfdf8da69f52c778af4faaea663981a67634bb6 Mon Sep 17 00:00:00 2001
From: Kevin Wasserman <kevin.wasserman@painless-security.com>
Date: Wed, 1 Aug 2012 18:30:02 -0400
Subject: Fix oid set construction in gss_inquire_cred()

Use gssapi calls to construct the oid sets.  It is not safe on windows
to use malloc to hand-construct the set and then call gss_release_oid_set()
to clean it up.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

ticket: 7227 (new)
tags: pullup
---
 src/lib/gssapi/mechglue/g_inq_cred.c | 32 ++++++++++----------------------
 1 file changed, 10 insertions(+), 22 deletions(-)

(limited to 'src/lib/gssapi')

diff --git a/src/lib/gssapi/mechglue/g_inq_cred.c b/src/lib/gssapi/mechglue/g_inq_cred.c
index 3c09d6103..7dab78172 100644
--- a/src/lib/gssapi/mechglue/g_inq_cred.c
+++ b/src/lib/gssapi/mechglue/g_inq_cred.c
@@ -123,29 +123,23 @@ gss_OID_set *		mechanisms;
      */
 
     if(mechanisms != NULL) {
-	status = GSS_S_FAILURE;
-	mechs = (gss_OID_set) malloc(sizeof(gss_OID_set_desc));
-	if (mechs == NULL)
-	    goto error;
-	mechs->count = 0;
-	mechs->elements = malloc(sizeof(gss_OID_desc) *
-					 (union_cred ? union_cred->count : 1));
-	if (mechs->elements == NULL)
+	status = gss_create_empty_oid_set(minor_status, &mechs);
+	if (GSS_ERROR(status))
 	    goto error;
 
 	if (union_cred) {
 	    for (i = 0; i < union_cred->count; i++) {
-		mechs->elements[i].elements =
-		    malloc(union_cred->mechs_array[i].length);
-		if (mechs->elements[i].elements == NULL)
+		status = gss_add_oid_set_member(minor_status,
+						&union_cred->mechs_array[i],
+						&mechs);
+		if (GSS_ERROR(status))
 		    goto error;
-		g_OID_copy(&mechs->elements[i], &union_cred->mechs_array[i]);
-		mechs->count++;
 	    }
 	} else {
-	    mechs->elements[0].elements = malloc(mech->mech_type.length);
-	    g_OID_copy(&mechs->elements[0], &mech->mech_type);
-	    mechs->count++;
+	    status = gss_add_oid_set_member(minor_status,
+					    &mech->mech_type, &mechs);
+	    if (GSS_ERROR(status))
+		goto error;
 	}
 	*mechanisms = mechs;
     }
@@ -153,12 +147,6 @@ gss_OID_set *		mechanisms;
     return(GSS_S_COMPLETE);
 
 error:
-    /*
-     * cleanup any allocated memory - we can just call
-     * gss_release_oid_set, because the set is constructed so that
-     * count always references the currently copied number of
-     * elements.
-     */
     if (mechs != NULL)
 	(void) gss_release_oid_set(&temp_minor_status, &mechs);
 
-- 
cgit