[31034] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Fix defcred leak in krb5 gss_inquire_cred()

daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Jul 21 12:05:29 2021

Date: Wed, 21 Jul 2021 12:04:59 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202107211604.16LG4xGp014930@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: multipart/mixed; boundary="===============7439411738718782994=="
Errors-To: cvs-krb5-bounces@mit.edu

--===============7439411738718782994==
Content-Type: text/plain

https://github.com/krb5/krb5/commit/593e16448e1af23eef74689afe06a7bcc86e79c7
commit 593e16448e1af23eef74689afe06a7bcc86e79c7
Author: Greg Hudson <ghudson@mit.edu>
Date:   Fri Jul 16 13:39:39 2021 -0400

    Fix defcred leak in krb5 gss_inquire_cred()
    
    Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
    management of krb5_gss_inquire_cred(), introducing defcred to act as
    an owner pointer when the function must acquire a default credential.
    The commit neglected to update the code to release the default cred
    along the successful path.  The old code does not trigger because
    cred_handle is now reassigned, so the default credential is leaked.
    
    Unify the success and failure cleanup for this function so that
    defcred is properly released on success.
    
    Reported by Pavel Březina.
    
    ticket: 9016
    tags: pullup
    target_version: 1.19-next
    target_version: 1.18-next

 src/lib/gssapi/krb5/inq_cred.c |   16 ++++++----------
 1 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index a8f2541..bb63b72 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -127,7 +127,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
     if ((code = krb5_timeofday(context, &now))) {
         *minor_status = code;
         ret = GSS_S_FAILURE;
-        goto fail;
+        goto cleanup;
     }
 
     if (cred->expire != 0) {
@@ -158,7 +158,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
             *minor_status = code;
             save_error_info(*minor_status, context);
             ret = GSS_S_FAILURE;
-            goto fail;
+            goto cleanup;
         }
     }
 
@@ -174,7 +174,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
             if (ret_name)
                 kg_release_name(context, &ret_name);
             /* *minor_status set above */
-            goto fail;
+            goto cleanup;
         }
     }
 
@@ -190,20 +190,16 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
 
     if (cred_usage)
         *cred_usage = cred->usage;
-    k5_mutex_unlock(&cred->lock);
 
     if (mechanisms) {
         *mechanisms = mechs;
         mechs = GSS_C_NO_OID_SET;
     }
 
-    if (cred_handle == GSS_C_NO_CREDENTIAL)
-        krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
-
-    krb5_free_context(context);
     *minor_status = 0;
-    return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
-fail:
+    ret = (lifetime == 0) ? GSS_S_CREDENTIALS_EXPIRED : GSS_S_COMPLETE;
+
+cleanup:
     k5_mutex_unlock(&cred->lock);
     krb5_gss_release_cred(&tmpmin, &defcred);
     krb5_free_context(context);

--===============7439411738718782994==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

--===============7439411738718782994==--
home help back first fref pref prev next nref lref last post