[30794] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Fix overzealous SPNEGO src_name/deleg_cred release

daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Apr 30 12:06:06 2020

Date: Thu, 30 Apr 2020 12:05:23 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202004301605.03UG5NoH006172@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/b2fe66fed560ae28917a4acae6f6c0f020156353
commit b2fe66fed560ae28917a4acae6f6c0f020156353
Author: Greg Hudson <ghudson@mit.edu>
Date:   Tue Apr 28 11:37:10 2020 -0400

    Fix overzealous SPNEGO src_name/deleg_cred release
    
    Commit 24b844714dea3e47b17511746b5df5b6ddf13d43 (ticket 8845) added
    releases of sc->internal_name and sc->deleg_cred before calling the
    underlying mech's gss_accept_sec_context(), to avoid a potential leak
    if the mech reports a value multiple times.  Commit
    c2ca2f26eaf817a6a7ed42257c380437ab802bd9 (ticket 8851) added a branch
    which calls negoex_accept() instead of calling directly into the
    underlying mech.  If negoex_accept() doesn't call into the mech on the
    last acceptor leg, the src_name and deleg_cred values from the final
    mech call are lost.
    
    Move the releases to the non-NegoEx branch.  negoex_accept() already
    does its own releases when it calls into the mech.
    
    Reported by Luke Howard.
    
    ticket: 8898 (new)
    tags: pullup
    target_version: 1.18-next

 src/lib/gssapi/spnego/spnego_mech.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index c7f99e8..4c0292a 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1566,12 +1566,12 @@ acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
 	}
 
 	mcred = (spcred == NULL) ? GSS_C_NO_CREDENTIAL : spcred->mcred;
-	(void) gss_release_name(&tmpmin, &sc->internal_name);
-	(void) gss_release_cred(&tmpmin, &sc->deleg_cred);
 	if (negoex) {
 		ret = negoex_accept(minor_status, sc, mcred, mechtok_in,
 				    mechtok_out, time_rec);
 	} else {
+		(void) gss_release_name(&tmpmin, &sc->internal_name);
+		(void) gss_release_cred(&tmpmin, &sc->deleg_cred);
 		ret = gss_accept_sec_context(minor_status, &sc->ctx_handle,
 					     mcred, mechtok_in,
 					     GSS_C_NO_CHANNEL_BINDINGS,
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post