[11252] in Kerberos-V5-bugs
[krbdev.mit.edu #6598] gss_init_sec_context potential segfault
daemon@ATHENA.MIT.EDU (Arlene Berry" via RT)
Tue Dec 22 18:05:30 2009
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: ""Arlene Berry" via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6598@krbdev.mit.edu>
Message-ID: <rt-6598-31927.12.045174963441@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6598'":;"'AdminCc of krbdev.mit.edu Ticket #6598'":;@MIT.EDU
Date: Tue, 22 Dec 2009 23:05:01 +0000 (UTC)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Gss_init_sec_context is supposed to return static memory for the actual
mechanism type but may not. The problem is in krb5_gss_init_sec_context
which returns the requested mechanism, if it was provided, as the actual
mechanism. If the requested mechanism was dynamically allocated by the
caller and the caller frees it and then attempts to access the actual
mechanism type, it causes a segfault. I discovered this while fixing
various issues with SPNEGO but anyone who uses the kerberos mechanism
directly could see it. This fixes it for us:
Index: init_sec_context.c
===================================================================
--- init_sec_context.c (revision 23482)
+++ init_sec_context.c (working copy)
@@ -979,12 +979,15 @@
err = 1;
}
} else if (g_OID_equal(mech_type, gss_mech_krb5)) {
+ mech_type = (gss_OID) gss_mech_krb5;
if (!cred->rfc_mech)
err = 1;
} else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
+ mech_type = (gss_OID) gss_mech_krb5_old;
if (!cred->prerfc_mech)
err = 1;
} else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) {
+ mech_type = (gss_OID) gss_mech_krb5_wrong;
if (!cred->rfc_mech)
err = 1;
} else {
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
