[krbdev.mit.edu #8734] git commit

Greg Hudson via RT rt-comment at KRBDEV-PROD-APP-1.mit.edu
Tue Oct 30 12:25:56 EDT 2018


Fix memory bugs in gss_add_cred() extension case

If gss_add_cred() is called with both an input_cred_handle and an
output_cred_handle, it creates a new credential with the elements of
the input credential plus the requested element.  Making a shallow
copy of mechs_array and cred_array from the old credential creates
aliased pointers which become invalid when one of the two credentials
is released, leading to use-after-free and double-free errors.

Instead, make a full copy of the input cred for this case.  Make this
copy at the beginning so that union_cred can always be modified in
place (and freed on error using gss_release_cred() if we created it),
removing the need for new_union_cred, new_mechs_array, and
new_cred_array.  Use a stack object for target_mechs to simplify
cleanup and reduce the number of failure cases.

GSSAPI provides no facility for copying a credential; since we mostly
use the GSSAPI as our SPI for mechanisms, we have no simple way to
copy mechanism creds when copying the union cred.  Use
gss_export_cred() and gss_import_cred() if the mechanism provides
them; otherwise fall back to gss_inquire_cred() and
gss_acquire_cred().

(cherry picked from commit 288cbada833dc6af7d43dd308563b48b73347dfb)

https://github.com/krb5/krb5/commit/71d28787a8f70186909141c8b6de2e7798ab5e41
Author: Greg Hudson <ghudson at mit.edu>
Commit: 71d28787a8f70186909141c8b6de2e7798ab5e41
Branch: krb5-1.16
 src/lib/gssapi/mechglue/g_acquire_cred.c |  207 ++++++++++++++++++++----------
 src/tests/gssapi/t_add_cred.c            |   31 +++++-
 2 files changed, 167 insertions(+), 71 deletions(-)



More information about the krb5-bugs mailing list