Skip Menu |
 

Subject: rework gic_opt_ext to be more portable
krb5_gic_opt_ext is an opaque structure that is supposed to be
binary-compatible with krb5_get_init_creds_opt, but might not conform to
the C standard due to type punning. Fix this by including a copy of
krb5_get_init_creds_opt as the first member of krb5_gic_opt and doing
all dependent changes.
A related problem is that the opt_to_opte contract is not nestable. If
you pass in an options structure which is already the result of an
opt_to_opte copy, you will get an alias (because the structure is
extended) which looks like a copy (because the shadowed flag was already
set).

It is also hard for a static analysis tool to detect memory leaks
related to opt_to_opte because of its "maybe a copy, maybe an alias"
contract.

These problems can be patched up in a variety of ways (such as by using
a reference count instead of the shadowed flag), but my favorite is to
get rid of the copies entirely. To do this, we'd pass around pointers
to the unextended options structure everywhere, and use accessor
functions or macros when reading extended options fields. The accessor
would return a default value if the structure is not extended, and would
cast the pointer to the extended structure and retrieve the field if it is.

I'm making these notes here since both fixes involve visiting every
piece of code which touches an options structure.
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.7KiB

Improve extended gic option support

The current extended gic option facility violates strict aliasing, is
not nestable (gic_opt_to_opte cannot be used on an extended options
structure casted back to krb5_get_init_creds_options), and requires
callers to use error-prone conversion functions.

Rewrite this code to use a new structure private to gic_opt.c, which
contains a krb5_get_init_creds_opt structure as its first member. We
can cast between the extended structure and its first element without
violating strict aliasing (C99 6.7.2.1 paragraph 13 and the aggregate
type clause of 6.5 paragraph 7). Define internal accessor functions
for the extended option fields. Replace all uses of krb5_gic_opt_ext
in callers with krb5_get_init_creds_opt and the new accessors. Bring
krb5_get_init_creds_opt_set_pa back into gic_opt.c (reverting
faa810c5b59fa33d9f7db837c5bb88df5436bb30) so that all of the code
which accesses the extended options structure can be in one file.

https://github.com/krb5/krb5/commit/c724843cb90cfed71d54eab94b68b0583c1d6dc5
Author: Greg Hudson <ghudson@mit.edu>
Commit: c724843cb90cfed71d54eab94b68b0583c1d6dc5
Branch: master
src/lib/krb5/krb/Makefile.in | 3 -
src/lib/krb5/krb/deps | 11 -
src/lib/krb5/krb/fast.c | 15 +-
src/lib/krb5/krb/fast.h | 2 +-
src/lib/krb5/krb/get_in_tkt.c | 102 ++++-----
src/lib/krb5/krb/gic_opt.c | 439 +++++++++++++++++--------------------
src/lib/krb5/krb/gic_opt_set_pa.c | 99 ---------
src/lib/krb5/krb/gic_pwd.c | 53 ++---
src/lib/krb5/krb/init_creds_ctx.h | 3 +-
src/lib/krb5/krb/int-proto.h | 118 +++-------
src/lib/krb5/krb/preauth2.c | 22 +-
11 files changed, 316 insertions(+), 551 deletions(-)