diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-12-18 14:33:23 -0500 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-12-18 14:33:23 -0500 |
commit | 2550a37b4fe67cef2049587667bfe4a84911ba3e (patch) | |
tree | ab7fb7f0e4160d480f72693d96bc40355ab6f623 | |
parent | 460d74d224cd0f889c5c59306ac4b37004945b7f (diff) | |
download | krb5-2550a37b4fe67cef2049587667bfe4a84911ba3e.tar.gz krb5-2550a37b4fe67cef2049587667bfe4a84911ba3e.tar.xz krb5-2550a37b4fe67cef2049587667bfe4a84911ba3e.zip |
Pull in a fix for a mem leak from master (RT#7805)krb5-1.12-2.fc21
- pull in fix from master to avoid a memory leak in a couple of error
cases which could occur while obtaining acceptor credentials (RT#7805, part
of #1043962)
-rw-r--r-- | krb5-master-keytab_close.patch | 39 | ||||
-rw-r--r-- | krb5.spec | 5 |
2 files changed, 44 insertions, 0 deletions
diff --git a/krb5-master-keytab_close.patch b/krb5-master-keytab_close.patch new file mode 100644 index 0000000..d020ae6 --- /dev/null +++ b/krb5-master-keytab_close.patch @@ -0,0 +1,39 @@ +commit decccbcb5075f8fbc28a535a9b337afc84a15dee +Author: Greg Hudson <ghudson@mit.edu> +Date: Mon Dec 16 15:37:56 2013 -0500 + + Fix GSS krb5 acceptor acquire_cred error handling + + When acquiring acceptor creds with a specified name, if we fail to + open a replay cache, we leak the keytab handle. If there is no + specified name and we discover that there is no content in the keytab, + we leak the keytab handle and return the wrong major code. Memory + leak reported by Andrea Campi. + + ticket: 7805 + target_version: 1.12.1 + tags: pullup + +diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c +index 0efcad4..9547207 100644 +--- a/src/lib/gssapi/krb5/acquire_cred.c ++++ b/src/lib/gssapi/krb5/acquire_cred.c +@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context, + code = krb5_get_server_rcache(context, &cred->name->princ->data[0], + &cred->rcache); + if (code) { ++ krb5_kt_close(context, kt); + *minor_status = code; + return GSS_S_FAILURE; + } +@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context, + /* Make sure we have a keytab with keys in it. */ + code = krb5_kt_have_content(context, kt); + if (code) { ++ krb5_kt_close(context, kt); + *minor_status = code; +- return GSS_S_FAILURE; ++ return GSS_S_CRED_UNAVAIL; + } + } + @@ -93,6 +93,7 @@ Patch134: krb5-1.11-kpasswdtest.patch Patch135: krb5-master-no-malloc0.patch Patch136: krb5-master-ignore-empty-unnecessary-final-token.patch Patch137: krb5-master-gss_oid_leak.patch +Patch138: krb5-master-keytab_close.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -306,6 +307,7 @@ ln -s NOTICE LICENSE %patch135 -p1 -b .no-malloc0 %patch136 -p1 -b .ignore-empty-unnecessary-final-token %patch137 -p1 -b .gss_oid_leak +%patch138 -p1 -b .keytab_close # Apply when the hard-wired or configured default location is # DIR:/run/user/%%{uid}/krb5cc. @@ -968,6 +970,9 @@ exit 0 we've already finished authenticating (RT#7797, part of #1043962) - pull in fix from master to avoid a memory leak when a mechanism's init_sec_context function fails (RT#7803, part of #1043962) +- pull in fix from master to avoid a memory leak in a couple of error + cases which could occur while obtaining acceptor credentials (RT#7805, part + of #1043962) * Wed Dec 11 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.12-1 - update to 1.12 final |