krb5 commit: Don't free cred handle used in kadm5 server handle
Greg Hudson
ghudson at MIT.EDU
Thu Mar 27 11:42:50 EDT 2014
https://github.com/krb5/krb5/commit/b24c362f0589a6212f2f544263bdb76e0988c582
commit b24c362f0589a6212f2f544263bdb76e0988c582
Author: Tomas Kuthan <tkuthan at gmail.com>
Date: Wed Mar 26 17:04:30 2014 +0100
Don't free cred handle used in kadm5 server handle
At the end of setup_gss(), gss_client_creds is released, but an alias
to the credential handle is saved in kadm5_server_handle_t in
handle->clnt->cl_auth->(struct rpc_gss_data *)ah_private->sec.cred.
Accessing these credentials (by authgss_refresh) can result in use
after free.
This fix stores credential reference in server handle and releases
the credentials in kadm5_destroy.
[ghudson at mit.edu: initialize handle->cred to correct constant; get rid
of gss_client_creds variable; clarify commit message slightly]
ticket: 7891 (new)
src/lib/kadm5/clnt/client_init.c | 13 ++++++-------
src/lib/kadm5/clnt/client_internal.h | 1 +
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
index 211bb55..48d9388 100644
--- a/src/lib/kadm5/clnt/client_init.c
+++ b/src/lib/kadm5/clnt/client_init.c
@@ -193,6 +193,7 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
handle->cache_name = 0;
handle->destroy_cache = 0;
handle->context = 0;
+ handle->cred = GSS_C_NO_CREDENTIAL;
*handle->lhandle = *handle;
handle->lhandle->api_version = KADM5_API_VERSION_4;
handle->lhandle->struct_version = KADM5_STRUCT_VERSION;
@@ -577,11 +578,9 @@ setup_gss(kadm5_server_handle_t handle, kadm5_config_params *params_in,
gss_buffer_desc buf;
gss_name_t gss_client;
gss_name_t gss_target;
- gss_cred_id_t gss_client_creds;
const char *c_ccname_orig;
char *ccname_orig;
- gss_client_creds = GSS_C_NO_CREDENTIAL;
ccname_orig = NULL;
gss_client = gss_target = GSS_C_NO_NAME;
@@ -614,7 +613,7 @@ setup_gss(kadm5_server_handle_t handle, kadm5_config_params *params_in,
gssstat = gss_acquire_cred(&minor_stat, gss_client, 0,
GSS_C_NULL_OID_SET, GSS_C_INITIATE,
- &gss_client_creds, NULL, NULL);
+ &handle->cred, NULL, NULL);
if (gssstat != GSS_S_COMPLETE) {
#if 0 /* for debugging only */
{
@@ -667,12 +666,9 @@ setup_gss(kadm5_server_handle_t handle, kadm5_config_params *params_in,
* Do actual creation of RPC auth handle. Implements auth flavor
* fallback.
*/
- rpc_auth(handle, params_in, gss_client_creds, gss_target);
+ rpc_auth(handle, params_in, handle->cred, gss_target);
error:
- if (gss_client_creds != GSS_C_NO_CREDENTIAL)
- (void) gss_release_cred(&minor_stat, &gss_client_creds);
-
if (gss_client)
gss_release_name(&minor_stat, &gss_client);
if (gss_target)
@@ -743,6 +739,7 @@ rpc_auth(kadm5_server_handle_t handle, kadm5_config_params *params_in,
kadm5_ret_t
kadm5_destroy(void *server_handle)
{
+ OM_uint32 minor_stat;
krb5_ccache ccache = NULL;
int code = KADM5_OK;
kadm5_server_handle_t handle =
@@ -757,6 +754,8 @@ kadm5_destroy(void *server_handle)
}
if (handle->cache_name)
free(handle->cache_name);
+ if (handle->cred)
+ (void)gss_release_cred(&minor_stat, &handle->cred);
if (handle->clnt && handle->clnt->cl_auth)
AUTH_DESTROY(handle->clnt->cl_auth);
if (handle->clnt)
diff --git a/src/lib/kadm5/clnt/client_internal.h b/src/lib/kadm5/clnt/client_internal.h
index 6ee8eea..fca7a7d 100644
--- a/src/lib/kadm5/clnt/client_internal.h
+++ b/src/lib/kadm5/clnt/client_internal.h
@@ -74,6 +74,7 @@ typedef struct _kadm5_server_handle_t {
CLIENT * clnt;
int client_socket;
krb5_context context;
+ gss_cred_id_t cred;
kadm5_config_params params;
struct _kadm5_server_handle_t *lhandle;
} kadm5_server_handle_rec, *kadm5_server_handle_t;
More information about the cvs-krb5
mailing list