From 6ecd93648f210e43bc4214fbd626a6b93d0e6db3 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 17 Aug 2004 23:57:16 +0000 Subject: [PATCH] * svc.c (svc_getreqset): Allocate cred and verf memory to temporary pointers, and free the temporary pointers on exit. Freeing the actual cred and verf pointers can cause corruption because auth mechanisms can reassign the pointers. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16669 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/rpc/ChangeLog | 7 +++++++ src/lib/rpc/svc.c | 20 ++++++++++++++------ 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index f58e80098..1e90d7fda 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,10 @@ +2004-08-17 Tom Yu + + * svc.c (svc_getreqset): Allocate cred and verf memory to + temporary pointers, and free the temporary pointers on exit. + Freeing the actual cred and verf pointers can cause corruption + because auth mechanisms can reassign the pointers. + 2004-08-16 Tom Yu * svc_auth_gss.c (gssrpc__svcauth_gss): Add some debug messages. diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index e7f3243cf..ac69df48f 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -420,10 +420,18 @@ svc_getreqset(readfds) register SVCXPRT *xprt; register int sock; bool_t no_dispatch; + caddr_t rawcred, rawverf, cookedcred; - msg.rm_call.cb_cred.oa_base = mem_alloc(MAX_AUTH_BYTES); - msg.rm_call.cb_verf.oa_base = mem_alloc(MAX_AUTH_BYTES); - r.rq_clntcred = mem_alloc(RQCRED_SIZE); + rawcred = mem_alloc(MAX_AUTH_BYTES); + rawverf = mem_alloc(MAX_AUTH_BYTES); + cookedcred = mem_alloc(RQCRED_SIZE); + + if (rawcred == NULL || rawverf == NULL || cookedcred == NULL) + return; + + msg.rm_call.cb_cred.oa_base = rawcred; + msg.rm_call.cb_verf.oa_base = rawverf; + r.rq_clntcred = cookedcred; #ifdef FD_SETSIZE for (sock = 0; sock <= max_xport; sock++) { @@ -497,7 +505,7 @@ svc_getreqset(readfds) } while (stat == XPRT_MOREREQS); } } - mem_free(msg.rm_call.cb_cred.oa_base, MAX_AUTH_BYTES); - mem_free(msg.rm_call.cb_verf.oa_base, MAX_AUTH_BYTES); - mem_free(r.rq_clntcred, RQCRED_SIZE); + mem_free(rawcred, MAX_AUTH_BYTES); + mem_free(rawverf, MAX_AUTH_BYTES); + mem_free(cookedcred, RQCRED_SIZE); } -- 2.26.2