Skip Menu |
 

Subject: gss_release_buffer() too easily deallocates memory it should not
Download (untitled) / with headers
text/plain 1.3KiB
The GSS API provides a gss_release_buffer() function for releasing
memory associated with gss_buffer_t objects which were allocated within
the gss library. Unfortunately, half of the gss_buffer_t objects which
applications must deal with are not allocated by the gss library but
instead by the application itself. The app must read from from the
input channel and construct a gss_buffer_t object to pass into GSS
functions for processing.

The chances that an application will attempt to use gss_release_buffer()
to deallocate this memory is extremely high resulting in program crash
at best or memory corruption and unpredictable at worst.

Ken and I were discussing the situation. We believe that the problem
cannot be prevented but we can make it much more obvious to developers
that there is a problem which must be fixed.

When the gss api allocates gss_buffer_t objects it should allocate an
initial four bytes which would be set to a magic value. The pointer
returned to the application would be set to the first byte passed the
magic value. In gss_release_buffer() we would subtract four bytes from
the pointer value and verify the magic value. If the magic value does
not verify the memory was not allocated by the gss api, and therefore we
will call assert() to force the termination of the program with an error.

We should discuss if this is something we can accomplish for 1.3.2.
A patch to gssapiP_generic.h rel_buffer.c, util_buffer.c:

Prepend to all gssapi library allocated gss_buffer_t value fields
a magic 32-bit unsigned value (MIT_KG_MALLOC_MAGIC) for use in
generic_gss_release_buffer() to ensure that we do not call xfree()
on a buffer which was not allocated by the library. Deallocation
of buffers is not safe except by the instance of the C Run Time
Library used to perform the allocation.

This patch almost certainly does not get the alignment issues correct
but I believe is a reasonable approach.
the patch
Download gssapi_malloc_marking.diff
application/octet-stream 12.8KiB

Message body not shown because it is not plain text.