Skip Menu |
 

Date: Mon, 09 Jan 2006 00:11:23 -0700
From: Shawn M Emery <Shawn.Emery@Sun.COM>
Subject: rcache mutex access
To: krb5-bugs@mit.edu
Download (untitled) / with headers
text/plain 1.5KiB

Setting a bogus rcache type through the invoking shell's environment
will cause rcache applications to seg fault, due to attempted access to
an invalid memory address. The problem is in the krb5_rc_default() and
krb5_rc_resolve_full() functions, where they attempt to destroy an
uninitialized mutex after krb5_rc_resolve_type() returns failure.
Whenever krb5_rc_resolve_type() returns failure the rcache mutex will
always be uninitialized.

Shawn.
--

Suggested fix based on the 1.4.3 tree:
src/lib/krb5/rcache/rc_base.c :
@@ -117,11 +117,14 @@
if (!(*id = (krb5_rcache )malloc(sizeof(**id))))
return KRB5_RC_MALLOC;

if ((retval = krb5_rc_resolve_type(context, id,
krb5_rc_default_type(context)))) {
- k5_mutex_destroy(&(*id)->lock);
+ /*
+ * k5_mutex_destroy() is not called here, because the mutex had
+ * not been successfully initialized by krb5_rc_resolve_type().
+ */
FREE(*id);
return retval;
}
if ((retval = krb5_rc_resolve(context, *id,
krb5_rc_default_name(context)))) {
@@ -155,11 +158,14 @@
return KRB5_RC_MALLOC;
}

if ((retval = krb5_rc_resolve_type(context, id,type))) {
FREE(type);
- k5_mutex_destroy(&(*id)->lock);
+ /*
+ * k5_mutex_destroy() is not called here, because the mutex had
+ * not been successfully initialized by krb5_rc_resolve_type().
+ */
FREE(*id);
return retval;
}
FREE(type);
if ((retval = krb5_rc_resolve(context, *id,residual + 1))) {
From: raeburn@mit.edu
Subject: CVS Commit
Don't call k5_mutex_destroy when krb5_rc_resolve_type fails, because that's
where the mutex would've been initialized. Reported by Shawn Emery.

Commit By: raeburn



Revision: 18089
Changed Files:
U trunk/src/lib/krb5/rcache/rc_base.c