Pull up r25659 from trunk

 ------------------------------------------------------------------------
 r25659 | ghudson | 2012-01-26 12:01:05 -0500 (Thu, 26 Jan 2012) | 10 lines

 ticket: 7081
 subject: Don't use stack variable address in as_req state
 target_version: 1.10
 tags: pullup

 The KDC's process_as_req was storing the address of a stack variable
 (client_princ), which fails if the request is not immediately
 serviced.  Move that variable to the state structure so its address
 remains valid for the lifetime of the request.

ticket: 7081
version_fixed: 1.10.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25680 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 5d7fc221c195b58384a11fa34f06ede04ce7b8d1..23623fe1b4e4a94697e692d85ae8ec2ad981c2bb 100644 (file)
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -102,6 +102,7 @@ struct as_req_state {
     loop_respond_fn respond;
     void *arg;
 
+    krb5_principal_data client_princ;
     krb5_enc_tkt_part enc_tkt_reply;
     krb5_enc_kdc_rep_part reply_encpart;
     krb5_ticket ticket_reply;
@@ -458,7 +459,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     krb5_error_code errcode;
     krb5_timestamp rtime;
     unsigned int s_flags = 0;
-    krb5_principal_data client_princ;
     krb5_data encoded_req_body;
     krb5_enctype useenctype;
     struct as_req_state *state;
@@ -699,13 +699,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 
     state->enc_tkt_reply.session = &state->session_key;
     if (isflagset(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
-        client_princ = *(state->client->princ);
+        state->client_princ = *(state->client->princ);
     } else {
-        client_princ = *(state->request->client);
+        state->client_princ = *(state->request->client);
         /* The realm is always canonicalized */
-        client_princ.realm = state->client->princ->realm;
+        state->client_princ.realm = state->client->princ->realm;
     }
-    state->enc_tkt_reply.client = &client_princ;
+    state->enc_tkt_reply.client = &state->client_princ;
     state->enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
     state->enc_tkt_reply.transited.tr_contents = empty_string;