[31540] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix gss_add_cred() extension fallback path
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Wed May 27 19:45:40 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260527234532.6A7761017F1@krbdev.mit.edu>
Date: Wed, 27 May 2026 19:45:32 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/d4c96c2279855b2064ebef192434382118d101e8
commit d4c96c2279855b2064ebef192434382118d101e8
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu May 21 17:34:27 2026 -0400
Fix gss_add_cred() extension fallback path
In copy_mech_cred(), if we fall back to using the mechanism's
gss_inquire_cred() and gss_acquire_cred(), correctly release the
mechanism name, and map the minor status if a mechanism call fails.
Reported by Daniel Sands.
This helper function is only reached if an application calls
gss_add_cred() with non-null input_cred_handle and output_cred_handle.
It was introduced in commit 288cbada833dc6af7d43dd308563b48b73347dfb
(ticket 8734).
ticket: 9214 (new)
tags: pullup
target_version: 1.22-next
src/lib/gssapi/mechglue/g_acquire_cred.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_acquire_cred.c b/src/lib/gssapi/mechglue/g_acquire_cred.c
index 2fc9c5c78..eaae67d54 100644
--- a/src/lib/gssapi/mechglue/g_acquire_cred.c
+++ b/src/lib/gssapi/mechglue/g_acquire_cred.c
@@ -306,13 +306,17 @@ copy_mech_cred(OM_uint32 *minor_status, gss_cred_id_t cred_in,
mech->gss_acquire_cred != NULL) {
status = mech->gss_inquire_cred(minor_status, cred_in, &name, &life,
&usage, NULL);
- if (status != GSS_S_COMPLETE)
+ if (status != GSS_S_COMPLETE) {
+ map_error(minor_status, mech);
return (status);
+ }
oidset.count = 1;
oidset.elements = gssint_get_public_oid(mech_oid);
status = mech->gss_acquire_cred(minor_status, name, life, &oidset,
usage, cred_out, NULL, NULL);
- gss_release_name(&tmpmin, &name);
+ if (status != GSS_S_COMPLETE)
+ map_error(minor_status, mech);
+ (void) gssint_release_internal_name(&tmpmin, &mech->mech_type, &name);
} else {
status = GSS_S_UNAVAILABLE;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
