leaking rcache opens in gss_accept_sec_context

Greg Hudson ghudson at MIT.EDU
Wed Jul 20 01:07:27 EDT 2011 

On Tue, 2011-07-19 at 16:21 -0400, Benjamin Coddington wrote:
> gss_acquire_cred
> gss_accept_sec_context
> gss_export_lucid_sec_context
> gss_delete_sec_context

> I found that before we got to gss_delete_sec_context(), we had already
> tried to clean up the context in gss_krb5_export_lucid_sec_context()
> -> krb5_gss_delete_sec_context(), which fails with G_VALIDATE_FAILED.
> It also sets the context to GSS_C_NO_CONTEXT, so once we get to
> gss_delete_sec_context(), context validation fails there too.

Aha.  Yes, that's the bug you found a reference to.  (And thank you for
explaining why that bug wasn't resulting in gssd crashes for everyone in
previous releases.  I had forgotten about the pointer validation code.)
I've attached the patch which is due for krb5 1.9.2.

gss_delete_sec_context should be unnecessary when
gss_export_lucid_sec_context succeeds.  Of course, it's harmless given
the way GSS handles contexts (nulling out the pointer when they are
released).

-------------- next part --------------
commit 1d72f6deeb2a8445567228de6495264112294223
Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
Date:   Mon May 9 17:28:07 2011 +0000

    ticket: 6908
    subject: Delete sec context properly in gss_krb5_export_lucid_sec_context
    target_version: 1.9.2
    tags: pullup
    
    Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
    union context to krb5_gss_delete_sec_context(), causing a crash as the
    krb5 routine attempts to interpret a union context structure as a krb5
    GSS context.  Call the mechglue gss_delete_sec_context instead.
    
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24917 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c
index bc3b7c7..0035d4f 100644
--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
@@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
     /* Clean up the context state (it is an error for
      * someone to attempt to use this context again)
      */
-    (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+    (void)gss_delete_sec_context(minor_status, context_handle, NULL);
     *context_handle = GSS_C_NO_CONTEXT;
 
     generic_gss_release_buffer_set(&minor, &data_set);

More information about the Kerberos mailing list