[16197] in Kerberos-V5-bugs
[krbdev.mit.edu #8734] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Tue Oct 30 12:28:43 2018
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8734@krbdev.mit.edu>
Message-ID: <rt-8734-49116.0.18414266484136@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8734'":;
Date: Tue, 30 Oct 2018 12:27:45 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Fix memory bugs in gss_add_cred() extension case
If gss_add_cred() is called with both an input_cred_handle and an
output_cred_handle, it creates a new credential with the elements of
the input credential plus the requested element. Making a shallow
copy of mechs_array and cred_array from the old credential creates
aliased pointers which become invalid when one of the two credentials
is released, leading to use-after-free and double-free errors.
Instead, make a full copy of the input cred for this case. Make this
copy at the beginning so that union_cred can always be modified in
place (and freed on error using gss_release_cred() if we created it),
removing the need for new_union_cred, new_mechs_array, and
new_cred_array. Use a stack object for target_mechs to simplify
cleanup and reduce the number of failure cases.
GSSAPI provides no facility for copying a credential; since we mostly
use the GSSAPI as our SPI for mechanisms, we have no simple way to
copy mechanism creds when copying the union cred. Use
gss_export_cred() and gss_import_cred() if the mechanism provides
them; otherwise fall back to gss_inquire_cred() and
gss_acquire_cred().
(cherry picked from commit 288cbada833dc6af7d43dd308563b48b73347dfb)
https://github.com/krb5/krb5/commit/697458053ed317364ee507c9497e148e9d1aa7ab
Author: Greg Hudson <ghudson@mit.edu>
Commit: 697458053ed317364ee507c9497e148e9d1aa7ab
Branch: krb5-1.15
src/lib/gssapi/mechglue/g_acquire_cred.c | 207 ++++++++++++++++++++----------
src/tests/gssapi/t_add_cred.c | 31 +++++-
2 files changed, 167 insertions(+), 71 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
