From: Tom Yu Date: Wed, 16 Jun 2004 02:37:23 +0000 (+0000) Subject: ok, let's try this again.. X-Git-Tag: krb5-1.4-beta1~320 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=2584d8a1f09cc0bf93708474c11a3012bedac42b;p=krb5.git ok, let's try this again.. * accept_sec_context.c (krb5_gss_accept_sec_context): Only null out the auth_context's rcache if it was provided by acceptor creds; this prevents a leak. * delete_sec_context.c (krb5_gss_delete_sec_context): Only null out the auth_context's rcache if it was provided by acceptor creds; this prevents a leak. * gssapiP_krb5.h (krb5_gss_ctx_id_rec): Add cred_rcache to track whether acceptor creds provided an rcache. ticket: 2600 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16465 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 84fb45606..786a4164a 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,16 @@ +2004-06-15 Tom Yu + + * accept_sec_context.c (krb5_gss_accept_sec_context): Only null + out the auth_context's rcache if it was provided by acceptor + creds; this prevents a leak. + + * delete_sec_context.c (krb5_gss_delete_sec_context): Only null + out the auth_context's rcache if it was provided by acceptor + creds; this prevents a leak. + + * gssapiP_krb5.h (krb5_gss_ctx_id_rec): Add cred_rcache to track + whether acceptor creds provided an rcache. + 2004-06-14 Tom Yu * init_sec_context.c (krb5_gss_init_sec_context): Fix pointer diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 77ab8df1e..2b7d8494c 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -249,7 +249,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, gss_cred_id_t cred_handle = NULL; krb5_gss_cred_id_t deleg_cred = NULL; krb5int_access kaccess; - int got_rcache = 0; + int cred_rcache = 0; code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); if (code) { @@ -383,7 +383,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, goto fail; } if (cred->rcache) { - got_rcache = 1; + cred_rcache = 1; if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { major_status = GSS_S_FAILURE; goto fail; @@ -612,6 +612,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); ctx->seed_init = 0; ctx->big_endian = bigend; + ctx->cred_rcache = cred_rcache; /* Intern the ctx pointer so that delete_sec_context works */ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { @@ -879,7 +880,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, krb5_free_authenticator(context, authdat); /* The ctx structure has the handle of the auth_context */ if (auth_context && !ctx) { - if (!got_rcache) + if (cred_rcache) (void)krb5_auth_con_setrcache(context, auth_context, NULL); krb5_auth_con_free(context, auth_context); diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c index 3d4706808..be91cd078 100644 --- a/src/lib/gssapi/krb5/delete_sec_context.c +++ b/src/lib/gssapi/krb5/delete_sec_context.c @@ -94,7 +94,9 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token) krb5_free_keyblock(context, ctx->acceptor_subkey); if (ctx->auth_context) { - (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL); + if (ctx->cred_rcache) + (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL); + krb5_auth_con_free(context, ctx->auth_context); } diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index b5a24960e..5b1394a29 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -192,6 +192,7 @@ typedef struct _krb5_gss_ctx_id_rec { krb5_cksumtype cksumtype; /* for "main" subkey */ krb5_keyblock *acceptor_subkey; /* CFX only */ krb5_cksumtype acceptor_subkey_cksumtype; + int cred_rcache; /* did we get rcache from creds? */ } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t; extern g_set kg_vdb;