svn rev #22220: branches/krb5-1-7/src/lib/gssapi/krb5/

tlyu@MIT.EDU tlyu at MIT.EDU
Tue Apr 14 17:07:21 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22220
Commit By: tlyu
Log Message:
ticket: 6412
version_fixed: 1.7

pull up r22081, r22082 from trunk

 ------------------------------------------------------------------------
 r22082 | raeburn | 2009-03-12 18:06:35 -0400 (Thu, 12 Mar 2009) | 6 lines
 Changed paths:
    M /trunk/src/lib/gssapi/krb5/k5sealv3iov.c

 ticket: 6412
 tags: pullup

 Better fix: Delay setting 'outbuf' until after the header buffer might
 have been allocated locally, and set it in both code paths instead of
 just the confidentiality-requested code path.
 ------------------------------------------------------------------------
 r22081 | raeburn | 2009-03-12 12:48:15 -0400 (Thu, 12 Mar 2009) | 7 lines
 Changed paths:
    M /trunk/src/lib/gssapi/krb5/k5sealv3iov.c

 ticket: 6412
 subject: crash using library-allocated storage for header in wrap_iov
 target_version: 1.7
 tags: pullup

 When allocating storage for the header buffer, update the internal
 output buffer pointer as well.


Changed Files:
U   branches/krb5-1-7/src/lib/gssapi/krb5/k5sealv3iov.c
Modified: branches/krb5-1-7/src/lib/gssapi/krb5/k5sealv3iov.c
===================================================================
--- branches/krb5-1-7/src/lib/gssapi/krb5/k5sealv3iov.c	2009-04-14 21:07:18 UTC (rev 22219)
+++ branches/krb5-1-7/src/lib/gssapi/krb5/k5sealv3iov.c	2009-04-14 21:07:21 UTC (rev 22220)
@@ -90,8 +90,6 @@
 
     trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
 
-    outbuf = (unsigned char *)header->buffer.value;
-
     if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
         unsigned int k5_headerlen, k5_trailerlen, k5_padlen;
         size_t ec = 0;
@@ -129,12 +127,13 @@
             gss_headerlen += gss_trailerlen;
         }
 
-        if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
+        if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
             code = kg_allocate_iov(header, (size_t) gss_headerlen);
-        else if (header->buffer.length < gss_headerlen)
+        } else if (header->buffer.length < gss_headerlen)
             code = KRB5_BAD_MSIZE;
         if (code != 0)
             goto cleanup;
+        outbuf = (unsigned char *)header->buffer.value;
         header->buffer.length = (size_t) gss_headerlen;
 
         if (trailer != NULL) {
@@ -204,6 +203,7 @@
             code = KRB5_BAD_MSIZE;
         if (code != 0)
             goto cleanup;
+        outbuf = (unsigned char *)header->buffer.value;
         header->buffer.length = (size_t) gss_headerlen;
 
         if (trailer != NULL) {

More information about the cvs-krb5 mailing list