r19042@cathode-dark-space: tlyu | 2007-01-09 14:45:10 -0500
ticket: new
target_version: 1.6
tags: pullup
subject: MITKRB5-SA-2006-002: svctcp_destroy() can call uninitialized function pointer
component: krb5-libs
Explicitly null out xprt->xp_auth when AUTH_GSSAPI is being used, so
that svctcp_destroy() will not call through an uninitialized function
pointer after code in svc_auth_gssapi.c has destroyed expired state
structures. We can't unconditionally null it because the RPCSEC_GSS
implementation needs it to retrieve state.
ticket: 5301
version_fixed: 1.6
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19044
dc483132-0cff-0310-8789-
dd5450dbe970
#endif
}
+extern struct svc_auth_ops svc_auth_gss_ops;
+
static void
svc_do_xprt(SVCXPRT *xprt)
{
if ((stat = SVC_STAT(xprt)) == XPRT_DIED){
SVC_DESTROY(xprt);
break;
+ } else if ((xprt->xp_auth != NULL) &&
+ (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) {
+ xprt->xp_auth = NULL;
}
} while (stat == XPRT_MOREREQS);