[krbdev.mit.edu #8734] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Tue Oct 30 12:25:56 EDT 2018
Fix memory bugs in gss_add_cred() extension case
If gss_add_cred() is called with both an input_cred_handle and an
output_cred_handle, it creates a new credential with the elements of
the input credential plus the requested element. Making a shallow
copy of mechs_array and cred_array from the old credential creates
aliased pointers which become invalid when one of the two credentials
is released, leading to use-after-free and double-free errors.
Instead, make a full copy of the input cred for this case. Make this
copy at the beginning so that union_cred can always be modified in
place (and freed on error using gss_release_cred() if we created it),
removing the need for new_union_cred, new_mechs_array, and
new_cred_array. Use a stack object for target_mechs to simplify
cleanup and reduce the number of failure cases.
GSSAPI provides no facility for copying a credential; since we mostly
use the GSSAPI as our SPI for mechanisms, we have no simple way to
copy mechanism creds when copying the union cred. Use
gss_export_cred() and gss_import_cred() if the mechanism provides
them; otherwise fall back to gss_inquire_cred() and
gss_acquire_cred().
(cherry picked from commit 288cbada833dc6af7d43dd308563b48b73347dfb)
https://github.com/krb5/krb5/commit/71d28787a8f70186909141c8b6de2e7798ab5e41
Author: Greg Hudson <ghudson at mit.edu>
Commit: 71d28787a8f70186909141c8b6de2e7798ab5e41
Branch: krb5-1.16
src/lib/gssapi/mechglue/g_acquire_cred.c | 207 ++++++++++++++++++++----------
src/tests/gssapi/t_add_cred.c | 31 +++++-
2 files changed, 167 insertions(+), 71 deletions(-)
More information about the krb5-bugs
mailing list