Questions about iter check in profile_iterator()

Neng Xue neng.xue at oracle.com
Mon Jan 12 19:06:40 EST 2015 

Hi MIT krb team,

Recently I am working on a kerberos related project in Solaris which 
will upgrade our krb version to 1.13. We have a set of solaris specific 
profile interfaces underneath using MIT kerberos profile interfaces. 
They used to work fine. However, after the version upgrade I noticed the 
interface wrapper encountered an issue. I narrowed down the issue to:

*prof_get.c:profile_iterator()*:

582 if (iter->magic != PROF_MAGIC_ITERATOR)
583        return PROF_MAGIC_ITERATOR;

When the iter is NULL our program will segmentation fault because of the 
null pointer deference.

Here is piece of our code:

       code = *profile_iterator_create*(profile, hierarchy,
42        PROFILE_ITER_LIST_SECTION, *&state*);
43    while (code == 0) {
44        code = *profile_iterator*(&*state*, &name, &value);
45        if (code == 0 && name != NULL) {
46
47            if (key != NULL && value != NULL) {
48                boolean_t ex_match = strcmp(key, value) ?
49                    B_FALSE : B_TRUE;
50                boolean_t match = strcasecmp(key, value) ?
51                    B_FALSE : B_TRUE;
52
53                if (ex_match == B_FALSE && case_ins == B_TRUE &&
54                    match == B_TRUE) {
55                    code2 = add_to_list(&values, name);
56                    if (code2 != 0) {
57                        end_list(&values, 0);
58                        code = code2;
59                    } else
60                        end_list(&values, &ret_values);
61                    goto cleanup;
62                } else if (ex_match == B_FALSE ||
63                    case_ins == B_TRUE)
64                    goto not_found;
65            }
66            code2 = add_to_list(&values, name);
67            if (code2 != 0) {
68                end_list(&values, 0);
69                code = code2;
70                goto cleanup;
71            }
72            found = B_TRUE;
73        }
74
75not_found:
76        if (name != NULL) {
77            profile_release_string(name);
78            name = NULL;
79        }
80        if (value != NULL) {
81            profile_release_string(value);
82            value = NULL;
83        }
84    }

The while loop will segmentation fault during the *third* loop. During 
the *second* loop, *profile_node_iterator()* underneath will free the 
iter pointer, then the third loop will still use that iter pointer to 
deference iter->magic value. So my question is that do we use the 
profile_iterator() in the wrong way or there should be an iter check in 
the profile_iterator()? Thanks.


Best

-- 
Neng Xue
Oracle Solaris Software Engineer
Santa Clara, CA, USA

More information about the krbdev mailing list