* svc.c (svc_getreqset): Allocate cred and verf memory to
authorTom Yu <tlyu@mit.edu>
Tue, 17 Aug 2004 23:57:16 +0000 (23:57 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 17 Aug 2004 23:57:16 +0000 (23:57 +0000)
temporary pointers, and free the temporary pointers on exit.
Freeing the actual cred and verf pointers can cause corruption
because auth mechanisms can reassign the pointers.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16669 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/rpc/ChangeLog
src/lib/rpc/svc.c

index f58e800985c11a898514fc1dddbaa051a934b5b2..1e90d7fdaa0dbe311ed2258f79c7f474f6bf9802 100644 (file)
@@ -1,3 +1,10 @@
+2004-08-17  Tom Yu  <tlyu@mit.edu>
+
+       * svc.c (svc_getreqset): Allocate cred and verf memory to
+       temporary pointers, and free the temporary pointers on exit.
+       Freeing the actual cred and verf pointers can cause corruption
+       because auth mechanisms can reassign the pointers.
+
 2004-08-16  Tom Yu  <tlyu@mit.edu>
 
        * svc_auth_gss.c (gssrpc__svcauth_gss): Add some debug messages.
index e7f3243cfa4f02ed60d16fdf0cd2ae6752a02f0a..ac69df48f18c38a7306bf2fd41b1ca3af837d244 100644 (file)
@@ -420,10 +420,18 @@ svc_getreqset(readfds)
        register SVCXPRT *xprt;
        register int sock;
         bool_t no_dispatch;
+       caddr_t rawcred, rawverf, cookedcred;
 
-       msg.rm_call.cb_cred.oa_base = mem_alloc(MAX_AUTH_BYTES);
-       msg.rm_call.cb_verf.oa_base = mem_alloc(MAX_AUTH_BYTES);
-       r.rq_clntcred = mem_alloc(RQCRED_SIZE);
+       rawcred = mem_alloc(MAX_AUTH_BYTES);
+       rawverf = mem_alloc(MAX_AUTH_BYTES);
+       cookedcred = mem_alloc(RQCRED_SIZE);
+
+       if (rawcred == NULL || rawverf == NULL || cookedcred == NULL)
+               return;
+
+       msg.rm_call.cb_cred.oa_base = rawcred;
+       msg.rm_call.cb_verf.oa_base = rawverf;
+       r.rq_clntcred = cookedcred;
 
 #ifdef FD_SETSIZE
        for (sock = 0; sock <= max_xport; sock++) {
@@ -497,7 +505,7 @@ svc_getreqset(readfds)
                } while (stat == XPRT_MOREREQS);
            }
        }
-       mem_free(msg.rm_call.cb_cred.oa_base, MAX_AUTH_BYTES);
-       mem_free(msg.rm_call.cb_verf.oa_base, MAX_AUTH_BYTES);
-       mem_free(r.rq_clntcred, RQCRED_SIZE);
+       mem_free(rawcred, MAX_AUTH_BYTES);
+       mem_free(rawverf, MAX_AUTH_BYTES);
+       mem_free(cookedcred, RQCRED_SIZE);
 }