From 2584d8a1f09cc0bf93708474c11a3012bedac42b Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 16 Jun 2004 02:37:23 +0000
Subject: [PATCH] ok, let's try this again..

	* accept_sec_context.c (krb5_gss_accept_sec_context): Only null
	out the auth_context's rcache if it was provided by acceptor
	creds; this prevents a leak.

	* delete_sec_context.c (krb5_gss_delete_sec_context): Only null
	out the auth_context's rcache if it was provided by acceptor
	creds; this prevents a leak.

	* gssapiP_krb5.h (krb5_gss_ctx_id_rec): Add cred_rcache to track
	whether acceptor creds provided an rcache.

ticket: 2600

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16465 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/gssapi/krb5/ChangeLog            | 13 +++++++++++++
 src/lib/gssapi/krb5/accept_sec_context.c |  7 ++++---
 src/lib/gssapi/krb5/delete_sec_context.c |  4 +++-
 src/lib/gssapi/krb5/gssapiP_krb5.h       |  1 +
 4 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 84fb45606..786a4164a 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,16 @@
+2004-06-15  Tom Yu  <tlyu@mit.edu>
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context): Only null
+	out the auth_context's rcache if it was provided by acceptor
+	creds; this prevents a leak.
+
+	* delete_sec_context.c (krb5_gss_delete_sec_context): Only null
+	out the auth_context's rcache if it was provided by acceptor
+	creds; this prevents a leak.
+
+	* gssapiP_krb5.h (krb5_gss_ctx_id_rec): Add cred_rcache to track
+	whether acceptor creds provided an rcache.
+
 2004-06-14  Tom Yu  <tlyu@mit.edu>
 
 	* init_sec_context.c (krb5_gss_init_sec_context): Fix pointer
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 77ab8df1e..2b7d8494c 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -249,7 +249,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    gss_cred_id_t cred_handle = NULL;
    krb5_gss_cred_id_t deleg_cred = NULL;
    krb5int_access kaccess;
-   int got_rcache = 0;
+   int cred_rcache = 0;
 
    code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
    if (code) {
@@ -383,7 +383,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        goto fail;
    }
    if (cred->rcache) {
-       got_rcache = 1;
+       cred_rcache = 1;
        if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
 	   major_status = GSS_S_FAILURE;
 	   goto fail;
@@ -612,6 +612,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
                             GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
    ctx->seed_init = 0;
    ctx->big_endian = bigend;
+   ctx->cred_rcache = cred_rcache;
 
    /* Intern the ctx pointer so that delete_sec_context works */
    if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
@@ -879,7 +880,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        krb5_free_authenticator(context, authdat);
    /* The ctx structure has the handle of the auth_context */
    if (auth_context && !ctx) {
-       if (!got_rcache)
+       if (cred_rcache)
 	   (void)krb5_auth_con_setrcache(context, auth_context, NULL);
 
        krb5_auth_con_free(context, auth_context);
diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c
index 3d4706808..be91cd078 100644
--- a/src/lib/gssapi/krb5/delete_sec_context.c
+++ b/src/lib/gssapi/krb5/delete_sec_context.c
@@ -94,7 +94,9 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token)
        krb5_free_keyblock(context, ctx->acceptor_subkey);
 
    if (ctx->auth_context) {
-       (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL);
+       if (ctx->cred_rcache)
+	   (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL);
+
        krb5_auth_con_free(context, ctx->auth_context);
    }
 
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index b5a24960e..5b1394a29 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -192,6 +192,7 @@ typedef struct _krb5_gss_ctx_id_rec {
    krb5_cksumtype cksumtype;	/* for "main" subkey */
    krb5_keyblock *acceptor_subkey; /* CFX only */
    krb5_cksumtype acceptor_subkey_cksumtype;
+   int cred_rcache;		/* did we get rcache from creds? */
 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
 
 extern g_set kg_vdb;
-- 
2.26.2