RT RT/krbdev.mit.edu: Ticket #3332 don't destroy uninitialized rcache mutex in error cases Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
3332
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-libs
Tags
Version_reported
  • 1.4.3
Version_Fixed
  • 1.5
Target_Version
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Mon Jan 9 12:18:54 2006
Starts: Not set
Started: Thu Jun 8 16:01:48 2006
Last Contact: Thu Jun 8 16:01:51 2006
Due: Not set
Updated: Fri Jun 30 01:23:33 2006 by tlyu
 

 People  
Owner
 raeburn
Requestors
 Shawn.Emery@Sun.COM
Cc
 
AdminCc
 
 

 More about Shawn Emery  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Jan  9 12:18:55 2006  Shawn.Emery@Sun.COM - Ticket created    
     
Date: Mon, 09 Jan 2006 00:11:23 -0700
From: Shawn M Emery <Shawn.Emery@Sun.COM>
Subject: rcache mutex access
To: krb5-bugs@mit.edu


Setting a bogus rcache type through the invoking shell's environment
will cause rcache applications to seg fault, due to attempted access to
an invalid memory address.  The problem is in the krb5_rc_default() and
krb5_rc_resolve_full() functions, where they attempt to destroy an
uninitialized mutex after krb5_rc_resolve_type() returns failure.
Whenever krb5_rc_resolve_type() returns failure the rcache mutex will
always be uninitialized.

Shawn.
--

Suggested fix based on the 1.4.3 tree:
src/lib/krb5/rcache/rc_base.c :
@@ -117,11 +117,14 @@
     if (!(*id = (krb5_rcache )malloc(sizeof(**id))))
     return KRB5_RC_MALLOC;

     if ((retval = krb5_rc_resolve_type(context, id,
                        krb5_rc_default_type(context)))) {
-    k5_mutex_destroy(&(*id)->lock);
+   /*
+    * k5_mutex_destroy() is not called here, because the mutex had
+    * not been successfully initialized by krb5_rc_resolve_type().
+    */
     FREE(*id);
     return retval;
     }
     if ((retval = krb5_rc_resolve(context, *id,
                   krb5_rc_default_name(context)))) {
@@ -155,11 +158,14 @@
     return KRB5_RC_MALLOC;
     }

     if ((retval = krb5_rc_resolve_type(context, id,type))) {
     FREE(type);
-    k5_mutex_destroy(&(*id)->lock);
+   /*
+    * k5_mutex_destroy() is not called here, because the mutex had
+    * not been successfully initialized by krb5_rc_resolve_type().
+    */
     FREE(*id);
     return retval;
     }
     FREE(type);
     if ((retval = krb5_rc_resolve(context, *id,residual + 1))) {


Download (untitled) 1.5k
      Thu Jun  8 16:01:48 2006  raeburn - Status changed from new to resolved    
      Thu Jun  8 16:01:49 2006  raeburn - Given to raeburn    
      Thu Jun  8 16:01:49 2006  raeburn - Correspondence added    
     
From: raeburn@mit.edu
Subject: CVS Commit

Don't call k5_mutex_destroy when krb5_rc_resolve_type fails, because that's
where the mutex would've been initialized.  Reported by Shawn Emery.

Commit By: raeburn



Revision: 18089
Changed Files:
U   trunk/src/lib/krb5/rcache/rc_base.c


Download (untitled) 239b
      Mon Jun 19 21:33:37 2006  tlyu - Version_Fixed 1.5 added    
      Fri Jun 30 01:23:32 2006  tlyu - Subject changed from rcache mutex access to don't destroy uninitialized rcache mutex in error cases    
      Fri Jun 30 01:23:32 2006  tlyu - Component krb5-libs added    
      Fri Jun 30 01:23:33 2006  tlyu - Version_reported 1.4.3 added