From 5223fe7f7208afa2830b845154c653f545589cd0 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 9 Jan 2007 20:21:31 +0000 Subject: [PATCH] pull up r19042 from trunk r19042@cathode-dark-space: tlyu | 2007-01-09 14:45:10 -0500 ticket: new target_version: 1.6 tags: pullup subject: MITKRB5-SA-2006-002: svctcp_destroy() can call uninitialized function pointer component: krb5-libs Explicitly null out xprt->xp_auth when AUTH_GSSAPI is being used, so that svctcp_destroy() will not call through an uninitialized function pointer after code in svc_auth_gssapi.c has destroyed expired state structures. We can't unconditionally null it because the RPCSEC_GSS implementation needs it to retrieve state. ticket: 5301 version_fixed: 1.6 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19044 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/rpc/svc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index 9fa7b33fe..93b4fd121 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -437,6 +437,8 @@ svc_getreqset(FDSET_TYPE *readfds) #endif } +extern struct svc_auth_ops svc_auth_gss_ops; + static void svc_do_xprt(SVCXPRT *xprt) { @@ -518,6 +520,9 @@ svc_do_xprt(SVCXPRT *xprt) if ((stat = SVC_STAT(xprt)) == XPRT_DIED){ SVC_DESTROY(xprt); break; + } else if ((xprt->xp_auth != NULL) && + (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) { + xprt->xp_auth = NULL; } } while (stat == XPRT_MOREREQS); -- 2.26.2