krb5 commit: Fix error handling in gss_export_sec_context()

Greg Hudson ghudson at mit.edu
Mon Sep 14 19:51:56 EDT 2015


https://github.com/krb5/krb5/commit/4f35b27a9ee38ca0b557ce8e6d059924a63d4eff
commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff
Author: Nicolas Williams <nico at twosigma.com>
Date:   Tue Sep 1 19:42:58 2015 -0400

    Fix error handling in gss_export_sec_context()
    
    In the mechglue gss_export_sec_context(), make sure to delete the
    union context if the underlying mech context has been deleted.  This
    can happen if the mech's gss_export_sec_context() returns a failure
    and deletes the context (not a behavior exhibited by any of our
    in-tree mechanisms, but an allowed behavior for other mechs), or if we
    fail to allocate space for the wrapped token.
    
    [ghudson at mit.edu: commit message; rename exit label to "cleanup" and
    make it valid for all exit cases]
    
    ticket: 8240 (new)
    target_version: 1.13.3
    tags: pullup

 src/lib/gssapi/mechglue/g_exp_sec_context.c |   30 +++++++++++++++-----------
 1 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
index 03a6f2b..e5f95ad 100644
--- a/src/lib/gssapi/mechglue/g_exp_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c
@@ -79,9 +79,9 @@ gss_buffer_t		interprocess_token;
 {
     OM_uint32		status;
     OM_uint32 		length;
-    gss_union_ctx_id_t	ctx;
+    gss_union_ctx_id_t	ctx = (gss_union_ctx_id_t) *context_handle;
     gss_mechanism	mech;
-    gss_buffer_desc	token;
+    gss_buffer_desc	token = GSS_C_EMPTY_BUFFER;
     char		*buf;
 
     status = val_exp_sec_ctx_args(minor_status,
@@ -94,7 +94,6 @@ gss_buffer_t		interprocess_token;
      * call it.
      */
 
-    ctx = (gss_union_ctx_id_t) *context_handle;
     mech = gssint_get_mechanism (ctx->mech_type);
     if (!mech)
 	return GSS_S_BAD_MECH;
@@ -105,15 +104,16 @@ gss_buffer_t		interprocess_token;
 					  &ctx->internal_ctx_id, &token);
     if (status != GSS_S_COMPLETE) {
 	map_error(minor_status, mech);
-	return (status);
+	goto cleanup;
     }
 
     length = token.length + 4 + ctx->mech_type->length;
     interprocess_token->length = length;
     interprocess_token->value = malloc(length);
     if (interprocess_token->value == 0) {
-	(void) gss_release_buffer(minor_status, &token);
-	return (GSS_S_FAILURE);
+	*minor_status = ENOMEM;
+	status = GSS_S_FAILURE;
+	goto cleanup;
     }
     buf = interprocess_token->value;
     length = ctx->mech_type->length;
@@ -127,13 +127,17 @@ gss_buffer_t		interprocess_token;
     memcpy(buf+4, ctx->mech_type->elements, (size_t) ctx->mech_type->length);
     memcpy(buf+4+ctx->mech_type->length, token.value, token.length);
 
-    (void) gss_release_buffer(minor_status, &token);
-
-    free(ctx->mech_type->elements);
-    free(ctx->mech_type);
-    free(ctx);
-    *context_handle = 0;
+    status = GSS_S_COMPLETE;
 
-    return(GSS_S_COMPLETE);
+cleanup:
+    (void) gss_release_buffer(minor_status, &token);
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) {
+	/* If the mech deleted its context, delete the union context. */
+	free(ctx->mech_type->elements);
+	free(ctx->mech_type);
+	free(ctx);
+	*context_handle = GSS_C_NO_CONTEXT;
+    }
+    return status;
 }
 #endif /*LEAN_CLIENT */


More information about the cvs-krb5 mailing list