diff options
| author | Tom Yu <tlyu@mit.edu> | 2014-01-17 16:21:33 -0500 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2014-01-22 22:21:57 -0500 |
| commit | 5fda425bf4e08fb15b2e77d4dd200f41da0e1905 (patch) | |
| tree | c0664e516aca86530d976ff9d7eb109bd4a60b55 | |
| parent | 0eb2c1a21af5028c0dd0334e0c01566fa1175052 (diff) | |
| download | krb5-5fda425bf4e08fb15b2e77d4dd200f41da0e1905.zip krb5-5fda425bf4e08fb15b2e77d4dd200f41da0e1905.tar.gz krb5-5fda425bf4e08fb15b2e77d4dd200f41da0e1905.tar.bz2 | |
Fix krb5_copy_context
krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists. Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs. Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.
(back ported from commit c452644d91d57d8b05ef396a029e34d0c7a48920)
ticket: 7845 (new)
| -rw-r--r-- | src/lib/krb5/krb/copy_ctx.c | 12 | ||||
| -rw-r--r-- | src/lib/krb5/krb/etype_list.c | 2 |
2 files changed, 14 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c index 9d2c3e4..40e68d2 100644 --- a/src/lib/krb5/krb/copy_ctx.c +++ b/src/lib/krb5/krb/copy_ctx.c @@ -77,6 +77,12 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) nctx->ser_ctx_count = 0; nctx->ser_ctx = NULL; nctx->prompt_types = NULL; + nctx->preauth_context = NULL; + nctx->ccselect_handles = NULL; + nctx->kdblog_context = NULL; + nctx->trace_callback = NULL; + nctx->trace_callback_data = NULL; + nctx->plugin_base_dir = NULL; nctx->os_context.default_ccname = NULL; memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins)); @@ -84,6 +90,7 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) nctx->locate_fptrs = NULL; memset(&nctx->err, 0, sizeof(nctx->err)); + memset(&nctx->plugins, 0, sizeof(nctx->plugins)); ret = krb5int_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes); if (ret) @@ -103,6 +110,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) ret = krb5_get_profile(ctx, &nctx->profile); if (ret) goto errout; + nctx->plugin_base_dir = strdup(ctx->plugin_base_dir); + if (nctx->plugin_base_dir == NULL) { + ret = ENOMEM; + goto errout; + } errout: if (ret) { diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c index a56155f..8ba9f65 100644 --- a/src/lib/krb5/krb/etype_list.c +++ b/src/lib/krb5/krb/etype_list.c @@ -49,6 +49,8 @@ krb5int_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list) krb5_enctype *list; *new_list = NULL; + if (old_list == NULL) + return 0; count = krb5int_count_etypes(old_list); list = malloc(sizeof(krb5_enctype) * (count + 1)); if (list == NULL) |