MITKRB5-SA-2006-002: svctcp_destroy() can call uninitialized function pointer

Explicitly null out xprt->xp_auth when AUTH_GSSAPI is being used, so
that svctcp_destroy() will not call through an uninitialized function
pointer after code in svc_auth_gssapi.c has destroyed expired state
structures.  We can't unconditionally null it because the RPCSEC_GSS
implementation needs it to retrieve state.

ticket: new
target_version: 1.6
tags: pullup
component: krb5-libs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19042 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c
index 9fa7b33fea899f8d9b8c20f9c96bd8bf7814d488..93b4fd121b3382e091a0148b8ba91a492cb209ba 100644 (file)
--- a/src/lib/rpc/svc.c
+++ b/src/lib/rpc/svc.c
@@ -437,6 +437,8 @@ svc_getreqset(FDSET_TYPE *readfds)
 #endif
 }
 
+extern struct svc_auth_ops svc_auth_gss_ops;
+
 static void
 svc_do_xprt(SVCXPRT *xprt)
 {
@@ -518,6 +520,9 @@ svc_do_xprt(SVCXPRT *xprt)
                if ((stat = SVC_STAT(xprt)) == XPRT_DIED){
                        SVC_DESTROY(xprt);
                        break;
+               } else if ((xprt->xp_auth != NULL) &&
+                          (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) {
+                       xprt->xp_auth = NULL;
                }
        } while (stat == XPRT_MOREREQS);