Ticket History #1346: Bug in gss_krb5_ccache

# Thu Oct 31 12:58:23 2002 Ben Cox <cox-work@djehuti.com> - Ticket #1235: - Ticket created

Subject:	Bug in gss_krb5_ccache_name
From:	Ben Cox <cox-work@djehuti.com>
To:	krb5-bugs@mit.edu
Cc:	cox-work@djehuti.com
Date:	31 Oct 2002 13:01:38 -0500

Download (untitled) / with headers
text/plain 756B

Hello,

The attached unified diff against the krb5-1.2.6 source tree fixes a bug
in gss_krb5_ccache_name returns a string that has been freed.

The gss_krb5_ccache_name function has an "out_name" parameter that is
supposed to give the old value of the default ccache name.
Unfortunately, before control returns to the caller,
gss_krb5_ccache_name calls krb5_cc_set_default_name, which frees the
buffer that has just been pointed to by *out_name.

The attached patch fixes gss_krb5_ccache_name to strdup the string
before returning (and return GSS_S_FAILURE if the strdup fails). It
also fixes the only caller of gss_krb5_ccache_name (that I could find in
the source tree), which was strdup'ing the result, not to strdup it
anymore.

Thanks,

-- Ben Cox

Download ccname-diff.patch
text/plain 975B

Message body is not shown because sender requested not to inline it.

# Wed Feb 05 16:55:00 2003 mjv (Marshall Vale) - Ticket created

Subject:

Bug in gss_krb5_ccache_name

Download (untitled) / with headers
text/plain 1.5KiB

Date: Tue, 04 Feb 2003 10:13:07 -0600
From: "Paul W. Nelson" <nelson@thursby.com>

It appears that gss_krb5_ccache_name should return a previous cache name
when the caller passes a non-null out_name. The code attempts to do this,
but it returns a pointer to the cache name storage and not a copy, so when
the name gets set by the call to krb5_cc_set_default_name, the name that is
returned in out_name gets set to the new name and not the old name.

This is in the 1.2.7 source.

Perhaps
if (out_name)
*out_name = krb5_cc_default_name(context);
Should be replaced with
if (out_name)
{
const char * old_ccache = krb5_cc_default_name(context);
*out_name = old_ccache ? strdup( old_ccache ) : NULL;
}

Unfortunately, this call is used in kadm5/clnt/client_init.c, where that
code already does a strdup on the returned old name...

Original 1.2.7 code in src/lib/gssapi/krb5/set_ccache.c:

GSS_DLLIMP OM_uint32 KRB5_CALLCONV
gss_krb5_ccache_name(minor_status, name, out_name)
OM_uint32 *minor_status;
const char *name;
const char **out_name;
{
krb5_context context;
krb5_error_code retval;
OM_uint32 foo_stat;

if (GSS_ERROR(kg_get_context(minor_status, &context)))
return (GSS_S_FAILURE);

if (out_name)
*out_name = krb5_cc_default_name(context);

retval = krb5_cc_set_default_name(context, name);
if (retval) {
*minor_status = retval;
return GSS_S_FAILURE;
}
kg_release_defcred(&foo_stat);
return GSS_S_COMPLETE;
}

--
Paul W. Nelson
Thursby Software Systems, Inc.

# Wed Feb 05 17:05:56 2003 mjv (Marshall Vale) - Requestor <nelson@thursby.com> added

# Tue Feb 25 18:55:53 2003 tlyu (Taylor Yu) - Status changed from 'new' to 'resolved'

# Tue Feb 25 18:55:53 2003 tlyu (Taylor Yu) - Given to tlyu (Taylor Yu)

# Tue Feb 25 18:55:53 2003 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	CVS Commit

Download (untitled) / with headers
text/plain 274B

Thanks, similar patch applied.

* set_ccache.c (gss_krb5_ccache_name): Don't return a pointer to
freed memory.

To generate a diff of this commit:

cvs diff -r1.212 -r1.213 krb5/src/lib/gssapi/krb5/ChangeLog
cvs diff -r1.6 -r1.7 krb5/src/lib/gssapi/krb5/set_ccache.c

# Wed Feb 26 18:20:09 2003 tlyu (Taylor Yu) - Ticket #1235: - Given to tlyu (Taylor Yu)

# Wed Feb 26 18:20:09 2003 tlyu (Taylor Yu) - Ticket #1235: - Component krb5-libs added

# Wed Feb 26 18:20:10 2003 tlyu (Taylor Yu) - Ticket #1235: - Ticket 1235 MergedInto ticket 1346.

# Wed Feb 26 18:20:10 2003 tlyu (Taylor Yu) - Ticket #1235: - Correspondence added

Download (untitled) / with headers
text/plain 41B

Thanks, a similar patch has been applied.

# Wed Mar 12 20:54:02 2003 tlyu (Taylor Yu) - Version_Fixed 1.3 added

Ticket History #1346: Bug in gss_krb5_ccache_name