Pointer validation in the gss krb5 mech

ghudson@MIT.EDU ghudson at MIT.EDU
Tue Apr 12 13:25:28 EDT 2011

The gss krb5 mech maintains a global, mutex-locked table of
caller-visible pointers to names, creds, security contexts, and lucid
contexts.  When gss-krb5 functions see an input pointer of those types
which is not in the table, they return an error without dereferencing
the pointer.

This stuff predates the integration of the Sun mechglue.  For the most
part this pointer validation only guards against bugs in the mechglue.
(Lucid contexts are an exception.)

To reduce code complexity and to simplify the work of creating a
kernel subset library, I'd like to consider dismantling this
validation framework.  My preference is to rip it out entirely, but an
intermediate option would be to replace the validation with magic
number checks and/or loopback pointer checks.  Checks like that could
still crash on invalid pointer inputs, but would guard against access
after release and similar violations.  Again, for the most part such
checks in the krb5 mech would only guard against bugs in the mechglue.

More information about the krbdev mailing list