[krbdev.mit.edu #6598] gss_init_sec_context potential segfault
Arlene Berry via RT
rt-comment at krbdev.mit.edu
Tue Dec 22 18:05:01 EST 2009
Gss_init_sec_context is supposed to return static memory for the actual
mechanism type but may not. The problem is in krb5_gss_init_sec_context
which returns the requested mechanism, if it was provided, as the actual
mechanism. If the requested mechanism was dynamically allocated by the
caller and the caller frees it and then attempts to access the actual
mechanism type, it causes a segfault. I discovered this while fixing
various issues with SPNEGO but anyone who uses the kerberos mechanism
directly could see it. This fixes it for us:
Index: init_sec_context.c
===================================================================
--- init_sec_context.c (revision 23482)
+++ init_sec_context.c (working copy)
@@ -979,12 +979,15 @@
err = 1;
}
} else if (g_OID_equal(mech_type, gss_mech_krb5)) {
+ mech_type = (gss_OID) gss_mech_krb5;
if (!cred->rfc_mech)
err = 1;
} else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
+ mech_type = (gss_OID) gss_mech_krb5_old;
if (!cred->prerfc_mech)
err = 1;
} else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) {
+ mech_type = (gss_OID) gss_mech_krb5_wrong;
if (!cred->rfc_mech)
err = 1;
} else {
More information about the krb5-bugs
mailing list