From 3d48a475054911856b736ca2720b82f529dd68cf Mon Sep 17 00:00:00 2001

From: Noriko Hosoi <nhosoi@redhat.com>

Date: Wed, 1 Oct 2014 14:20:27 -0700

Subject: [PATCH] Bug 1147659 - cyrus-sasl client library (client.c) is not

 thread safe

Description: client_dispose (lib/clinet.c) which closes a connection

of a sasl client frees mech_list if the head of the list differs

from the head of the global cmechlist->mech_list.  But there was a

possibility that the list appears in the middle of the global mech

list.  By freeing the mech, it crashed a multi-threaded sasl client.

This patch checks each mech if it is in the global mech list or not.

Only if it is not, the mech is freed.

---

 lib/client.c | 27 +++++++++++++++++++++++++++

 1 file changed, 27 insertions(+)

diff --git a/lib/client.c b/lib/client.c

index 31fe346..3f76483 100644

--- a/lib/client.c

+++ b/lib/client.c

@@ -324,6 +324,26 @@ int sasl_client_init(const sasl_callback_t *callbacks)

   return ret;

 }

+/*

+ * If mech is in cmechlist->mech_list, return 1

+ * Otherwise, return 0

+ */

+static int mech_is_in_cmechlist(cmechanism_t *mech)

+{

+  cmechanism_t *m = cmechlist->mech_list;

+  if (NULL == mech) {

+    return 0;

+  }

+  

+  while (m && mech) {

+    if (m == mech) {

+      return 1;

+    }

+    m = m->next;

+  }

+  return 0;

+}

+

 static void client_dispose(sasl_conn_t *pconn)

 {

   sasl_client_conn_t *c_conn=(sasl_client_conn_t *) pconn;

@@ -352,6 +372,13 @@ static void client_dispose(sasl_conn_t *pconn)

       while (m) {

 	  prevm = m;

 	  m = m->next;

+	  if (mech_is_in_cmechlist(prevm)) {

+	    /*

+	     * If prevm exists in the global mech_list cmechlist->mech_list,

+	     * we should not free it as well as the rest of the list.

+	     */

+	    break;

+	  }

 	  sasl_FREE(prevm);    

       }

   }

-- 

1.9.3