From 80f701fb42806dc549cf86a83b3aadbdd07d4c6b Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 9 Jan 2007 19:45:10 +0000 Subject: [PATCH] MITKRB5-SA-2006-002: svctcp_destroy() can call uninitialized function pointer Explicitly null out xprt->xp_auth when AUTH_GSSAPI is being used, so that svctcp_destroy() will not call through an uninitialized function pointer after code in svc_auth_gssapi.c has destroyed expired state structures. We can't unconditionally null it because the RPCSEC_GSS implementation needs it to retrieve state. ticket: new target_version: 1.6 tags: pullup component: krb5-libs git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19042 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/rpc/svc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index 9fa7b33fe..93b4fd121 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -437,6 +437,8 @@ svc_getreqset(FDSET_TYPE *readfds) #endif } +extern struct svc_auth_ops svc_auth_gss_ops; + static void svc_do_xprt(SVCXPRT *xprt) { @@ -518,6 +520,9 @@ svc_do_xprt(SVCXPRT *xprt) if ((stat = SVC_STAT(xprt)) == XPRT_DIED){ SVC_DESTROY(xprt); break; + } else if ((xprt->xp_auth != NULL) && + (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) { + xprt->xp_auth = NULL; } } while (stat == XPRT_MOREREQS); -- 2.26.2