diff options
author | Greg Hudson <ghudson@mit.edu> | 2020-04-28 11:37:10 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2020-05-21 14:52:58 -0400 |
commit | 781166490aa56efab0c45020f404d672c0c6a414 (patch) | |
tree | ac9e175bffc134c3d55239c8140cac94a4672c5d | |
parent | f6be0da77f5c0d133eb96f4daa23619141095d99 (diff) | |
download | krb5-781166490aa56efab0c45020f404d672c0c6a414.zip krb5-781166490aa56efab0c45020f404d672c0c6a414.tar.gz krb5-781166490aa56efab0c45020f404d672c0c6a414.tar.bz2 |
Fix overzealous SPNEGO src_name/deleg_cred release
Commit 24b844714dea3e47b17511746b5df5b6ddf13d43 (ticket 8845) added
releases of sc->internal_name and sc->deleg_cred before calling the
underlying mech's gss_accept_sec_context(), to avoid a potential leak
if the mech reports a value multiple times. Commit
c2ca2f26eaf817a6a7ed42257c380437ab802bd9 (ticket 8851) added a branch
which calls negoex_accept() instead of calling directly into the
underlying mech. If negoex_accept() doesn't call into the mech on the
last acceptor leg, the src_name and deleg_cred values from the final
mech call are lost.
Move the releases to the non-NegoEx branch. negoex_accept() already
does its own releases when it calls into the mech.
Reported by Luke Howard.
(cherry picked from commit b2fe66fed560ae28917a4acae6f6c0f020156353)
ticket: 8898
version_fixed: 1.18.2
-rw-r--r-- | src/lib/gssapi/spnego/spnego_mech.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 8e0c3a3..b97edc8 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -1566,12 +1566,12 @@ acc_ctx_call_acc(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, } mcred = (spcred == NULL) ? GSS_C_NO_CREDENTIAL : spcred->mcred; - (void) gss_release_name(&tmpmin, &sc->internal_name); - (void) gss_release_cred(&tmpmin, &sc->deleg_cred); if (negoex) { ret = negoex_accept(minor_status, sc, mcred, mechtok_in, mechtok_out, time_rec); } else { + (void) gss_release_name(&tmpmin, &sc->internal_name); + (void) gss_release_cred(&tmpmin, &sc->deleg_cred); ret = gss_accept_sec_context(minor_status, &sc->ctx_handle, mcred, mechtok_in, GSS_C_NO_CHANNEL_BINDINGS, |