leaking rcache opens in gss_accept_sec_context
Greg Hudson
ghudson at MIT.EDU
Wed Jul 20 01:07:27 EDT 2011
On Tue, 2011-07-19 at 16:21 -0400, Benjamin Coddington wrote:
> gss_acquire_cred
> gss_accept_sec_context
> gss_export_lucid_sec_context
> gss_delete_sec_context
> I found that before we got to gss_delete_sec_context(), we had already
> tried to clean up the context in gss_krb5_export_lucid_sec_context()
> -> krb5_gss_delete_sec_context(), which fails with G_VALIDATE_FAILED.
> It also sets the context to GSS_C_NO_CONTEXT, so once we get to
> gss_delete_sec_context(), context validation fails there too.
Aha. Yes, that's the bug you found a reference to. (And thank you for
explaining why that bug wasn't resulting in gssd crashes for everyone in
previous releases. I had forgotten about the pointer validation code.)
I've attached the patch which is due for krb5 1.9.2.
gss_delete_sec_context should be unnecessary when
gss_export_lucid_sec_context succeeds. Of course, it's harmless given
the way GSS handles contexts (nulling out the pointer when they are
released).
-------------- next part --------------
commit 1d72f6deeb2a8445567228de6495264112294223
Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
Date: Mon May 9 17:28:07 2011 +0000
ticket: 6908
subject: Delete sec context properly in gss_krb5_export_lucid_sec_context
target_version: 1.9.2
tags: pullup
Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
union context to krb5_gss_delete_sec_context(), causing a crash as the
krb5 routine attempts to interpret a union context structure as a krb5
GSS context. Call the mechglue gss_delete_sec_context instead.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24917 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c
index bc3b7c7..0035d4f 100644
--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
@@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
/* Clean up the context state (it is an error for
* someone to attempt to use this context again)
*/
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+ (void)gss_delete_sec_context(minor_status, context_handle, NULL);
*context_handle = GSS_C_NO_CONTEXT;
generic_gss_release_buffer_set(&minor, &data_set);
More information about the Kerberos
mailing list