krb5 commit [krb5-1.13]: Fix scope of kadmind ACL wildcard back-references

Wed Mar 18 16:25:00 EDT 2015

https://github.com/krb5/krb5/commit/8e67dce9379c0f50bdccc12619fecad423aa5384
commit 8e67dce9379c0f50bdccc12619fecad423aa5384
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu Mar 12 16:36:33 2015 -0400

    Fix scope of kadmind ACL wildcard back-references
    
    In kadm5int_acl_find_entry(), clear the wildcard back-references list
    for each acl entry.  Otherwise the wildcards we process can affect
    back-references for later entries.
    
    (cherry picked from commit d3d18b8d8d7a47766fd4e9667d045035f43d90ef)
    
    ticket: 8154
    version_fixed: 1.13.2
    status: resolved

 src/lib/kadm5/srv/server_acl.c |    2 +-
 src/tests/t_kadmin_acl.py      |    2 ++
 2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index a35d795..86e1367 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -610,8 +610,8 @@ kadm5int_acl_find_entry(kcontext, principal, dest_princ)
     wildstate_t         state;
 
     DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n"));
-    memset(&state, 0, sizeof state);
     for (entry=acl_list_head; entry; entry = entry->ae_next) {
+        memset(&state, 0, sizeof(state));
         if (entry->ae_name_bad)
             continue;
         if (!strcmp(entry->ae_name, "*")) {
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index c4b8465..8b04c1e 100644
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -65,6 +65,8 @@ restricted_modify  im  *         +preauth
 restricted_rename  ad  *         +preauth
 
 */*                d   *2/*1
+# The next line is a regression test for #8154; it is not used directly.
+one/*/*/five       l
 */two/*/*          d   *3/*1/*2
 */admin            a
 wctarget           a   wild/*
