diff options
| author | Simo Sorce <simo@redhat.com> | 2013-04-05 18:04:35 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2013-04-05 18:39:10 -0400 |
| commit | 4dc4718becc20224b9da5657b8216af7d4da8ac5 (patch) | |
| tree | c36d6a7a194d4b928fc2f44d28e4ae01054574e6 | |
| parent | 0ce973a59ab3393481ba7c434a7353b5007cba71 (diff) | |
| download | nfs-utils-4dc4718becc20224b9da5657b8216af7d4da8ac5.tar.gz nfs-utils-4dc4718becc20224b9da5657b8216af7d4da8ac5.tar.xz nfs-utils-4dc4718becc20224b9da5657b8216af7d4da8ac5.zip | |
Fix double free when exporting lucid context
When using GSSAPI's gss_krb5_export_lucid_context the context passed into the
function is actually deleted during the export (to avoid reuse as the context
contains state that depends on its usage).
Change the code to pass in a pointer to the context so that it can be properly
NULLed if we are using the GSSAPI context and following calls to
gss_delete_sec_context will not cause double free errors and segfaults.
Signed-off-by: Simo Sorce <simo@redhat.com>
| -rw-r--r-- | utils/gssd/context.c | 2 | ||||
| -rw-r--r-- | utils/gssd/context.h | 4 | ||||
| -rw-r--r-- | utils/gssd/context_heimdal.c | 4 | ||||
| -rw-r--r-- | utils/gssd/context_lucid.c | 4 | ||||
| -rw-r--r-- | utils/gssd/context_mit.c | 4 | ||||
| -rw-r--r-- | utils/gssd/gssd_proc.c | 4 | ||||
| -rw-r--r-- | utils/gssd/svcgssd_proc.c | 2 |
7 files changed, 12 insertions, 12 deletions
diff --git a/utils/gssd/context.c b/utils/gssd/context.c index fee7da2..7757a77 100644 --- a/utils/gssd/context.c +++ b/utils/gssd/context.c @@ -44,7 +44,7 @@ #include "context.h" int -serialize_context_for_kernel(gss_ctx_id_t ctx, +serialize_context_for_kernel(gss_ctx_id_t *ctx, gss_buffer_desc *buf, gss_OID mech, int32_t *endtime) diff --git a/utils/gssd/context.h b/utils/gssd/context.h index 0e437f4..3b55c8e 100644 --- a/utils/gssd/context.h +++ b/utils/gssd/context.h @@ -41,9 +41,9 @@ #define KRB5_CTX_FLAG_CFX 0x00000002 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 -int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf, +int serialize_context_for_kernel(gss_ctx_id_t *ctx, gss_buffer_desc *buf, gss_OID mech, int32_t *endtime); -int serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf, +int serialize_krb5_ctx(gss_ctx_id_t *ctx, gss_buffer_desc *buf, int32_t *endtime); #endif /* _CONTEXT_H_ */ diff --git a/utils/gssd/context_heimdal.c b/utils/gssd/context_heimdal.c index 6f3b8fd..1e8738a 100644 --- a/utils/gssd/context_heimdal.c +++ b/utils/gssd/context_heimdal.c @@ -203,9 +203,9 @@ int write_heimdal_seq_key(char **p, char *end, gss_ctx_id_t ctx) */ int -serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf, int32_t *endtime) +serialize_krb5_ctx(gss_ctx_id_t *_ctx, gss_buffer_desc *buf, int32_t *endtime) { - + gss_ctx_id_t ctx = *_ctx; char *p, *end; static int constant_one = 1; static int constant_zero = 0; diff --git a/utils/gssd/context_lucid.c b/utils/gssd/context_lucid.c index 64146d7..badbe88 100644 --- a/utils/gssd/context_lucid.c +++ b/utils/gssd/context_lucid.c @@ -257,7 +257,7 @@ out_err: int -serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf, int32_t *endtime) +serialize_krb5_ctx(gss_ctx_id_t *ctx, gss_buffer_desc *buf, int32_t *endtime) { OM_uint32 maj_stat, min_stat; void *return_ctx = 0; @@ -266,7 +266,7 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf, int32_t *endtime) int retcode = 0; printerr(2, "DEBUG: %s: lucid version!\n", __FUNCTION__); - maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx, + maj_stat = gss_export_lucid_sec_context(&min_stat, ctx, 1, &return_ctx); if (maj_stat != GSS_S_COMPLETE) { pgsserr("gss_export_lucid_sec_context", diff --git a/utils/gssd/context_mit.c b/utils/gssd/context_mit.c index e6db9cb..fad6756 100644 --- a/utils/gssd/context_mit.c +++ b/utils/gssd/context_mit.c @@ -152,9 +152,9 @@ typedef struct gss_union_ctx_id_t { } gss_union_ctx_id_desc, *gss_union_ctx_id_t; int -serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf, int32_t *endtime) +serialize_krb5_ctx(gss_ctx_id_t *ctx, gss_buffer_desc *buf, int32_t *endtime) { - krb5_gss_ctx_id_t kctx = ((gss_union_ctx_id_t)ctx)->internal_ctx_id; + krb5_gss_ctx_id_t kctx = ((gss_union_ctx_id_t)(*ctx))->internal_ctx_id; char *p, *end; static int constant_zero = 0; static int constant_one = 1; diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 698f86f..d6f07e6 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -1066,7 +1066,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, printerr(1, "WARNING: Failed to inquire context for lifetme " "maj_stat %u\n", maj_stat); - if (serialize_context_for_kernel(pd.pd_ctx, &token, &krb5oid, NULL)) { + if (serialize_context_for_kernel(&pd.pd_ctx, &token, &krb5oid, NULL)) { printerr(0, "WARNING: Failed to serialize krb5 context for " "user with uid %d for server %s\n", uid, clp->servername); @@ -1079,7 +1079,7 @@ out: if (token.value) free(token.value); #ifdef HAVE_AUTHGSS_FREE_PRIVATE_DATA - if (pd.pd_ctx_hndl.length != 0) + if (pd.pd_ctx_hndl.length != 0 || pd.pd_ctx != 0) authgss_free_private_data(&pd); #endif if (auth) diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c index 0d4f78d..3757d51 100644 --- a/utils/gssd/svcgssd_proc.c +++ b/utils/gssd/svcgssd_proc.c @@ -484,7 +484,7 @@ handle_nullreq(FILE *f) { /* kernel needs ctx to calculate verifier on null response, so * must give it context before doing null call: */ - if (serialize_context_for_kernel(ctx, &ctx_token, mech, &ctx_endtime)) { + if (serialize_context_for_kernel(&ctx, &ctx_token, mech, &ctx_endtime)) { printerr(0, "WARNING: handle_nullreq: " "serialize_context_for_kernel failed\n"); maj_stat = GSS_S_FAILURE; |