[krbdev.mit.edu #3332] rcache mutex access
Shawn Emery via RT
rt-comment at krbdev.mit.edu
Mon Jan 9 12:18:57 EST 2006
Setting a bogus rcache type through the invoking shell's environment
will cause rcache applications to seg fault, due to attempted access to
an invalid memory address. The problem is in the krb5_rc_default() and
krb5_rc_resolve_full() functions, where they attempt to destroy an
uninitialized mutex after krb5_rc_resolve_type() returns failure.
Whenever krb5_rc_resolve_type() returns failure the rcache mutex will
always be uninitialized.
Shawn.
--
Suggested fix based on the 1.4.3 tree:
src/lib/krb5/rcache/rc_base.c :
@@ -117,11 +117,14 @@
if (!(*id = (krb5_rcache )malloc(sizeof(**id))))
return KRB5_RC_MALLOC;
if ((retval = krb5_rc_resolve_type(context, id,
krb5_rc_default_type(context)))) {
- k5_mutex_destroy(&(*id)->lock);
+ /*
+ * k5_mutex_destroy() is not called here, because the mutex had
+ * not been successfully initialized by krb5_rc_resolve_type().
+ */
FREE(*id);
return retval;
}
if ((retval = krb5_rc_resolve(context, *id,
krb5_rc_default_name(context)))) {
@@ -155,11 +158,14 @@
return KRB5_RC_MALLOC;
}
if ((retval = krb5_rc_resolve_type(context, id,type))) {
FREE(type);
- k5_mutex_destroy(&(*id)->lock);
+ /*
+ * k5_mutex_destroy() is not called here, because the mutex had
+ * not been successfully initialized by krb5_rc_resolve_type().
+ */
FREE(*id);
return retval;
}
FREE(type);
if ((retval = krb5_rc_resolve(context, *id,residual + 1))) {
More information about the krb5-bugs
mailing list