From c50e1ec76aa1e1c8a75a5c138d5c31c3165d212c Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 14 Apr 2009 21:07:21 +0000 Subject: [PATCH] pull up r22081, r22082 from trunk ------------------------------------------------------------------------ r22082 | raeburn | 2009-03-12 18:06:35 -0400 (Thu, 12 Mar 2009) | 6 lines Changed paths: M /trunk/src/lib/gssapi/krb5/k5sealv3iov.c ticket: 6412 tags: pullup Better fix: Delay setting 'outbuf' until after the header buffer might have been allocated locally, and set it in both code paths instead of just the confidentiality-requested code path. ------------------------------------------------------------------------ r22081 | raeburn | 2009-03-12 12:48:15 -0400 (Thu, 12 Mar 2009) | 7 lines Changed paths: M /trunk/src/lib/gssapi/krb5/k5sealv3iov.c ticket: 6412 subject: crash using library-allocated storage for header in wrap_iov target_version: 1.7 tags: pullup When allocating storage for the header buffer, update the internal output buffer pointer as well. ticket: 6412 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22220 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/k5sealv3iov.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c index 98904b62d..c30352b0a 100644 --- a/src/lib/gssapi/krb5/k5sealv3iov.c +++ b/src/lib/gssapi/krb5/k5sealv3iov.c @@ -90,8 +90,6 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); - outbuf = (unsigned char *)header->buffer.value; - if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) { unsigned int k5_headerlen, k5_trailerlen, k5_padlen; size_t ec = 0; @@ -129,12 +127,13 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, gss_headerlen += gss_trailerlen; } - if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) + if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) { code = kg_allocate_iov(header, (size_t) gss_headerlen); - else if (header->buffer.length < gss_headerlen) + } else if (header->buffer.length < gss_headerlen) code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; + outbuf = (unsigned char *)header->buffer.value; header->buffer.length = (size_t) gss_headerlen; if (trailer != NULL) { @@ -204,6 +203,7 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; + outbuf = (unsigned char *)header->buffer.value; header->buffer.length = (size_t) gss_headerlen; if (trailer != NULL) { -- 2.26.2