From: Tom Yu Date: Tue, 17 Aug 2004 23:57:16 +0000 (+0000) Subject: * svc.c (svc_getreqset): Allocate cred and verf memory to X-Git-Tag: krb5-1.4-beta1~142 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=6ecd93648f210e43bc4214fbd626a6b93d0e6db3;p=krb5.git * svc.c (svc_getreqset): Allocate cred and verf memory to temporary pointers, and free the temporary pointers on exit. Freeing the actual cred and verf pointers can cause corruption because auth mechanisms can reassign the pointers. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16669 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index f58e80098..1e90d7fda 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,10 @@ +2004-08-17 Tom Yu + + * svc.c (svc_getreqset): Allocate cred and verf memory to + temporary pointers, and free the temporary pointers on exit. + Freeing the actual cred and verf pointers can cause corruption + because auth mechanisms can reassign the pointers. + 2004-08-16 Tom Yu * svc_auth_gss.c (gssrpc__svcauth_gss): Add some debug messages. diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index e7f3243cf..ac69df48f 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -420,10 +420,18 @@ svc_getreqset(readfds) register SVCXPRT *xprt; register int sock; bool_t no_dispatch; + caddr_t rawcred, rawverf, cookedcred; - msg.rm_call.cb_cred.oa_base = mem_alloc(MAX_AUTH_BYTES); - msg.rm_call.cb_verf.oa_base = mem_alloc(MAX_AUTH_BYTES); - r.rq_clntcred = mem_alloc(RQCRED_SIZE); + rawcred = mem_alloc(MAX_AUTH_BYTES); + rawverf = mem_alloc(MAX_AUTH_BYTES); + cookedcred = mem_alloc(RQCRED_SIZE); + + if (rawcred == NULL || rawverf == NULL || cookedcred == NULL) + return; + + msg.rm_call.cb_cred.oa_base = rawcred; + msg.rm_call.cb_verf.oa_base = rawverf; + r.rq_clntcred = cookedcred; #ifdef FD_SETSIZE for (sock = 0; sock <= max_xport; sock++) { @@ -497,7 +505,7 @@ svc_getreqset(readfds) } while (stat == XPRT_MOREREQS); } } - mem_free(msg.rm_call.cb_cred.oa_base, MAX_AUTH_BYTES); - mem_free(msg.rm_call.cb_verf.oa_base, MAX_AUTH_BYTES); - mem_free(r.rq_clntcred, RQCRED_SIZE); + mem_free(rawcred, MAX_AUTH_BYTES); + mem_free(rawverf, MAX_AUTH_BYTES); + mem_free(cookedcred, RQCRED_SIZE); }