Skip Menu |
 

Subject: gss_init_sec_context potential segfault
Date: Tue, 22 Dec 2009 17:40:41 -0500
From: "Arlene Berry" <aberry@likewise.com>
To: <krb5-bugs@mit.edu>
Download (untitled) / with headers
text/plain 1.2KiB
Gss_init_sec_context is supposed to return static memory for the actual
mechanism type but may not. The problem is in krb5_gss_init_sec_context
which returns the requested mechanism, if it was provided, as the actual
mechanism. If the requested mechanism was dynamically allocated by the
caller and the caller frees it and then attempts to access the actual
mechanism type, it causes a segfault. I discovered this while fixing
various issues with SPNEGO but anyone who uses the kerberos mechanism
directly could see it. This fixes it for us:

Index: init_sec_context.c
===================================================================
--- init_sec_context.c (revision 23482)
+++ init_sec_context.c (working copy)
@@ -979,12 +979,15 @@
err = 1;
}
} else if (g_OID_equal(mech_type, gss_mech_krb5)) {
+ mech_type = (gss_OID) gss_mech_krb5;
if (!cred->rfc_mech)
err = 1;
} else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
+ mech_type = (gss_OID) gss_mech_krb5_old;
if (!cred->prerfc_mech)
err = 1;
} else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) {
+ mech_type = (gss_OID) gss_mech_krb5_wrong;
if (!cred->rfc_mech)
err = 1;
} else {
From: tlyu@mit.edu
Subject: SVN Commit

Apply patch from Arlene Berry to return a comparable static OID object
instead of the application-passed (probably dynamically allocated)
OID, to avoid use-after-free problems.

https://github.com/krb5/krb5/commit/ff98a7e7fb30efccae3c80cbfec518b465674458
Commit By: tlyu
Revision: 23695
Changed Files:
U trunk/src/lib/gssapi/krb5/init_sec_context.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r23695 from trunk

------------------------------------------------------------------------
r23695 | tlyu | 2010-02-04 22:05:42 -0500 (Thu, 04 Feb 2010) | 8 lines

ticket: 6598
tags: pullup
target_version: 1.8

Apply patch from Arlene Berry to return a comparable static OID object
instead of the application-passed (probably dynamically allocated)
OID, to avoid use-after-free problems.

https://github.com/krb5/krb5/commit/13af1e845c35ae20780e66bc8998680fa7389815
Commit By: tlyu
Revision: 23706
Changed Files:
U branches/krb5-1-8/src/lib/gssapi/krb5/init_sec_context.c