krb5 commit: Fix krb5 gss_acquire_cred_impersonate_name crash
Greg Hudson
ghudson at mit.edu
Fri Sep 19 16:38:39 EDT 2014
https://github.com/krb5/krb5/commit/17689700b27c6fb6d26156330d11b57ef79385d3
commit 17689700b27c6fb6d26156330d11b57ef79385d3
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Sep 19 11:35:10 2014 -0400
Fix krb5 gss_acquire_cred_impersonate_name crash
If gss_acquire_cred_impersonate_name is called using an
impersonator_cred_handle acquired with GSS_C_ACCEPT, we could
dereference null fields of the cred handle and crash. Fix this by
checking the impersonator_cred_handle usage and returning
GSS_S_NO_CRED if it isn't what we expect, just as we do in
init_sec_context.
Based on a patch from Solly Ross <sross at redhat.com>.
ticket: 8017 (new)
target_version: 1.13
tags: pullup
src/lib/gssapi/krb5/s4u_gss_glue.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
index 4381a84..ff1c310 100644
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
@@ -113,6 +113,7 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
{
OM_uint32 major_status;
krb5_error_code code;
+ krb5_gss_cred_id_t imp_cred = (krb5_gss_cred_id_t)impersonator_cred_handle;
krb5_gss_cred_id_t cred;
krb5_context context;
@@ -130,6 +131,11 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
+ if (imp_cred->usage != GSS_C_INITIATE && imp_cred->usage != GSS_C_BOTH) {
+ *minor_status = 0;
+ return GSS_S_NO_CRED;
+ }
+
*output_cred_handle = GSS_C_NO_CREDENTIAL;
if (time_rec != NULL)
*time_rec = 0;
@@ -148,7 +154,7 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
}
major_status = kg_impersonate_name(minor_status,
- (krb5_gss_cred_id_t)impersonator_cred_handle,
+ imp_cred,
(krb5_gss_name_t)desired_name,
time_req,
&cred,
@@ -158,7 +164,7 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
if (!GSS_ERROR(major_status))
*output_cred_handle = (gss_cred_id_t)cred;
- k5_mutex_unlock(&((krb5_gss_cred_id_t)impersonator_cred_handle)->lock);
+ k5_mutex_unlock(&imp_cred->lock);
krb5_free_context(context);
return major_status;
More information about the cvs-krb5
mailing list