[31557] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Check for empty forwarded creds in krb5 GSS mech

daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Fri Jul 10 23:25:36 2026

From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260711032528.CB93F105595@krbdev.mit.edu>
Date: Fri, 10 Jul 2026 23:25:28 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/690cbe7d9b6d095cbeb77fe3e4d0c910f97bbb3e
commit 690cbe7d9b6d095cbeb77fe3e4d0c910f97bbb3e
Author: Greg Hudson <ghudson@mit.edu>
Date:   Sun Jun 14 17:01:34 2026 -0400

    Check for empty forwarded creds in krb5 GSS mech
    
    In rd_and_store_for_creds(), do not dereference the first element of
    the forwarded credential list if it is empty.  In addition, if an
    application passes a null delegated_cred_handle to
    gss_accept_sec_context(), do not call krb5_rd_cred() in the krb5 GSS
    mech.
    
    ticket: 9220 (new)
    tags: pullup
    target_version: 1.22-next

 src/lib/gssapi/krb5/accept_sec_context.c | 70 +++++++++++++-------------------
 1 file changed, 29 insertions(+), 41 deletions(-)

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index c9987b757..3a7fb4e89 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -170,6 +170,10 @@ rd_and_store_for_creds(krb5_context context, krb5_auth_context auth_context,
     krb5_auth_context new_auth_ctx = NULL;
     krb5_int32 flags_org;
 
+    /* Ignore the forwarded creds if the application doesn't want them. */
+    if (out_cred == NULL)
+        return 0;
+
     if ((retval = krb5_auth_con_getflags(context, auth_context, &flags_org)))
         return retval;
     krb5_auth_con_setflags(context, auth_context,
@@ -205,6 +209,9 @@ rd_and_store_for_creds(krb5_context context, krb5_auth_context auth_context,
             goto cleanup;
     }
 
+    if (creds[0] == NULL)
+        goto cleanup;
+
     if ((retval = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) {
         ccache = NULL;
         goto cleanup;
@@ -216,50 +223,32 @@ rd_and_store_for_creds(krb5_context context, krb5_auth_context auth_context,
     if ((retval = k5_cc_store_primary_cred(context, ccache, creds[0])))
         goto cleanup;
 
-    /* generate a delegated credential handle */
-    if (out_cred) {
-        /* allocate memory for a cred_t... */
-        if (!(cred =
-              (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))) {
-            retval = ENOMEM; /* out of memory? */
-            goto cleanup;
-        }
+    cred = k5alloc(sizeof(*cred), &retval);
+    if (cred == NULL)
+        goto cleanup;
 
-        /* zero it out... */
-        memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
+    retval = k5_mutex_init(&cred->lock);
+    if (retval)
+        goto cleanup;
 
-        retval = k5_mutex_init(&cred->lock);
-        if (retval) {
-            xfree(cred);
-            cred = NULL;
-            goto cleanup;
-        }
+    retval = kg_init_name(context, creds[0]->client, NULL, NULL, NULL, 0,
+                          &cred->name);
+    if (retval) {
+        k5_mutex_destroy(&cred->lock);
+        goto cleanup;
+    }
 
-        /* copy the client principle into it... */
-        if ((retval =
-             kg_init_name(context, creds[0]->client, NULL, NULL, NULL, 0,
-                          &cred->name))) {
-            k5_mutex_destroy(&cred->lock);
-            retval = ENOMEM; /* out of memory? */
-            xfree(cred); /* clean up memory on failure */
-            cred = NULL;
-            goto cleanup;
-        }
+    cred->usage = GSS_C_INITIATE;
+    cred->keytab = NULL;
+    cred->expire = creds[0]->times.endtime;
+    /* Transfer ownership of ccache to cred. */
+    cred->ccache = ccache;
+    cred->destroy_ccache = 1;
+    ccache = NULL;
 
-        cred->usage = GSS_C_INITIATE; /* we can't accept with this */
-        /* cred->name already set */
-        cred->keytab = NULL; /* no keytab associated with this... */
-        cred->expire = creds[0]->times.endtime; /* store the end time */
-        cred->ccache = ccache; /* the ccache containing the credential */
-        cred->destroy_ccache = 1;
-        ccache = NULL; /* cred takes ownership so don't destroy */
-    }
+    *out_cred = cred;
+    cred = NULL;
 
-    /* If there were errors, there might have been a memory leak
-       if (!cred)
-       if ((retval = krb5_cc_close(context, ccache)))
-       goto cleanup;
-    */
 cleanup:
     if (creds)
         krb5_free_tgt_creds(context, creds);
@@ -267,8 +256,7 @@ cleanup:
     if (ccache)
         (void)krb5_cc_destroy(context, ccache);
 
-    if (out_cred)
-        *out_cred = cred; /* return credential */
+    free(cred);
 
     if (new_auth_ctx)
         krb5_auth_con_free(context, new_auth_ctx);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

home help back first fref pref prev next nref lref last post