From 34d3a9d632fee17703901d554196d910a9d7cefc Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 10 Jan 2007 01:08:05 +0000
Subject: [PATCH] fix MITKRB5-SA-2006-002 for 1.5-branch

pull up r19042 from trunk

 r19042@cathode-dark-space:  tlyu | 2007-01-09 14:45:10 -0500
 ticket: new
 target_version: 1.6
 tags: pullup
 subject: MITKRB5-SA-2006-002: svctcp_destroy() can call uninitialized function pointer
 component: krb5-libs

 Explicitly null out xprt->xp_auth when AUTH_GSSAPI is being used, so
 that svctcp_destroy() will not call through an uninitialized function
 pointer after code in svc_auth_gssapi.c has destroyed expired state
 structures.  We can't unconditionally null it because the RPCSEC_GSS
 implementation needs it to retrieve state.



ticket: new
tags: pullup
target_version: 1.5.2
version_fixed: 1.5.2
component: krb5-libs

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-5@19049 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/rpc/svc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c
index 9fa7b33fe..93b4fd121 100644
--- a/src/lib/rpc/svc.c
+++ b/src/lib/rpc/svc.c
@@ -437,6 +437,8 @@ svc_getreqset(FDSET_TYPE *readfds)
 #endif
 }
 
+extern struct svc_auth_ops svc_auth_gss_ops;
+
 static void
 svc_do_xprt(SVCXPRT *xprt)
 {
@@ -518,6 +520,9 @@ svc_do_xprt(SVCXPRT *xprt)
 		if ((stat = SVC_STAT(xprt)) == XPRT_DIED){
 			SVC_DESTROY(xprt);
 			break;
+		} else if ((xprt->xp_auth != NULL) &&
+			   (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) {
+			xprt->xp_auth = NULL;
 		}
 	} while (stat == XPRT_MOREREQS);
 
-- 
2.26.2