[2747] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

krb5-libs/436: recvauth() frees caller's auth_context.

daemon@ATHENA.MIT.EDU (donn@u.washington.edu)
Wed Jun 11 20:55:15 1997

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, donn@u.washington.edu
Date: Wed, 11 Jun 1997 17:52:21 -0700
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU


>Number:         436
>Category:       krb5-libs
>Synopsis:       recvauth() frees caller's auth_context.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Wed Jun 11 20:53:01 EDT 1997
>Last-Modified:
>Originator:     Donn Cave
>Organization:
	University of Washington, University Computing Services
>Release:        1.0pl1
>Environment:
	UNIX
System: AIX melville 2 4 000010504900


>Description:
	recvauth() frees auth_context before returning, if an error occurred.
	It does regardless of whether it's the caller's storage passed in as
	a parameter, or storage allocated by recvauth() itself.  In the latter
	case it arguably makes sense.  In the former it doesn't make sense,
	at least not to me.
>How-To-Repeat:
	Allocate a krb5_auth_context object, with krb5_auth_con_init(), and
	pass its address to recvauth().  Connect with a client whose server
	principal was constructed using the local host instead of the service
	host;  this is an error and will result in ``Wrong principal in
	request.''  Then, after return from recvauth(), free your auth_context
	object with auth_con_free().
>Fix:
	Context diff follows.  I just saved the initial parameter value, and
	only free the object if it was allocated locally.
--------
*** src/lib/krb5/krb/recvauth.c.dist	Thu Nov 21 11:00:06 1996
--- src/lib/krb5/krb/recvauth.c	Wed Jun 11 16:28:51 1997
***************
*** 35,47 ****
  static char *sendauth_version = "KRB5_SENDAUTH_V1.0";
  
  krb5_error_code
  krb5_recvauth(context, auth_context,
  	      /* IN */
  	      fd, appl_version, server, flags, keytab,
  	      /* OUT */
  	      ticket)
      krb5_context 	  context;
!     krb5_auth_context   * auth_context;
      krb5_pointer	  fd;
      char		* appl_version;
      krb5_principal	  server;
--- 35,47 ----
  static char *sendauth_version = "KRB5_SENDAUTH_V1.0";
  
  krb5_error_code
  krb5_recvauth(context, auth_context_arg,
  	      /* IN */
  	      fd, appl_version, server, flags, keytab,
  	      /* OUT */
  	      ticket)
      krb5_context 	  context;
!     krb5_auth_context   * auth_context_arg;
      krb5_pointer	  fd;
      char		* appl_version;
      krb5_principal	  server;
***************
*** 50,55 ****
--- 50,56 ----
      krb5_ticket	       ** ticket;
  {
      krb5_auth_context	  new_auth_context;
+     krb5_auth_context	  *auth_context;
      krb5_flags		  ap_option;
      krb5_error_code	  retval, problem;
      krb5_data		  inbuf;
***************
*** 138,143 ****
--- 139,145 ----
      if ((retval = krb5_read_message(context, fd, &inbuf)))
          return retval;
  
+     auth_context = auth_context_arg;
      if (*auth_context == NULL) {
  	problem = krb5_auth_con_init(context, &new_auth_context);
  	*auth_context = new_auth_context;
***************
*** 229,235 ****
      if (retval) {
  	if (rcache)
  	    krb5_rc_close(context, rcache);
! 	krb5_auth_con_free(context, *auth_context);
      }
      return retval;
  }
--- 231,238 ----
      if (retval) {
  	if (rcache)
  	    krb5_rc_close(context, rcache);
! 	if (auth_context != auth_context_arg)
! 		krb5_auth_con_free(context, *auth_context);
      }
      return retval;
  }
>Audit-Trail:
>Unformatted:
home help back first fref pref prev next nref lref last post