diff options
| author | Tom Yu <tlyu@mit.edu> | 2007-01-10 01:08:05 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2007-01-10 01:08:05 +0000 |
| commit | 34d3a9d632fee17703901d554196d910a9d7cefc (patch) | |
| tree | 451bcf89456964905bf4d80fb67c68ce37cc40b3 | |
| parent | 6dc60e7406961cea442b28d78dd07e00fc53220a (diff) | |
| download | krb5-34d3a9d632fee17703901d554196d910a9d7cefc.zip krb5-34d3a9d632fee17703901d554196d910a9d7cefc.tar.gz krb5-34d3a9d632fee17703901d554196d910a9d7cefc.tar.bz2 | |
fix MITKRB5-SA-2006-002 for 1.5-branch
pull up r19042 from trunk
r19042@cathode-dark-space: tlyu | 2007-01-09 14:45:10 -0500
ticket: new
target_version: 1.6
tags: pullup
subject: MITKRB5-SA-2006-002: svctcp_destroy() can call uninitialized function pointer
component: krb5-libs
Explicitly null out xprt->xp_auth when AUTH_GSSAPI is being used, so
that svctcp_destroy() will not call through an uninitialized function
pointer after code in svc_auth_gssapi.c has destroyed expired state
structures. We can't unconditionally null it because the RPCSEC_GSS
implementation needs it to retrieve state.
ticket: new
tags: pullup
target_version: 1.5.2
version_fixed: 1.5.2
component: krb5-libs
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-5@19049 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/lib/rpc/svc.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index 9fa7b33..93b4fd1 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -437,6 +437,8 @@ svc_getreqset(FDSET_TYPE *readfds) #endif } +extern struct svc_auth_ops svc_auth_gss_ops; + static void svc_do_xprt(SVCXPRT *xprt) { @@ -518,6 +520,9 @@ svc_do_xprt(SVCXPRT *xprt) if ((stat = SVC_STAT(xprt)) == XPRT_DIED){ SVC_DESTROY(xprt); break; + } else if ((xprt->xp_auth != NULL) && + (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) { + xprt->xp_auth = NULL; } } while (stat == XPRT_MOREREQS); |