|
 |
167778 |
From eb58cafce36423ece63a4c1b503a965b38527171 Mon Sep 17 00:00:00 2001
|
|
|
167778 |
From: Robbie Harwood <rharwood@redhat.com>
|
|
|
167778 |
Date: Wed, 18 Apr 2018 14:13:28 -0400
|
|
|
167778 |
Subject: [PATCH] Fix segfault in finish_dispatch()
|
|
|
167778 |
|
|
|
167778 |
dispatch() doesn't necessarily initialize state->active_realm which
|
|
|
167778 |
led to an explicit NULL dereference in finish_dispatch().
|
|
|
167778 |
|
|
|
167778 |
Additionally, fix make_too_big_error() so that it won't subsequently
|
|
|
167778 |
dereference state->active_realm.
|
|
|
167778 |
|
|
|
167778 |
tags: pullup
|
|
|
167778 |
target_version: 1.16-next
|
|
|
167778 |
target_version: 1.15-next
|
|
|
167778 |
|
|
|
167778 |
(cherry picked from commit c822bacc1b33970a2a20d9eae80f43307e783516)
|
|
|
167778 |
---
|
|
|
167778 |
src/kdc/dispatch.c | 79 ++++++++++++++++++++++++----------------------
|
|
|
167778 |
1 file changed, 42 insertions(+), 37 deletions(-)
|
|
|
167778 |
|
|
|
167778 |
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
|
|
|
167778 |
index 4ecc23481..1f4b70874 100644
|
|
|
167778 |
--- a/src/kdc/dispatch.c
|
|
|
167778 |
+++ b/src/kdc/dispatch.c
|
|
|
167778 |
@@ -35,9 +35,6 @@
|
|
|
167778 |
|
|
|
167778 |
static krb5_int32 last_usec = 0, last_os_random = 0;
|
|
|
167778 |
|
|
|
167778 |
-static krb5_error_code make_too_big_error(kdc_realm_t *kdc_active_realm,
|
|
|
167778 |
- krb5_data **out);
|
|
|
167778 |
-
|
|
|
167778 |
struct dispatch_state {
|
|
|
167778 |
loop_respond_fn respond;
|
|
|
167778 |
void *arg;
|
|
|
167778 |
@@ -47,6 +44,41 @@ struct dispatch_state {
|
|
|
167778 |
krb5_context kdc_err_context;
|
|
|
167778 |
};
|
|
|
167778 |
|
|
|
167778 |
+
|
|
|
167778 |
+static krb5_error_code
|
|
|
167778 |
+make_too_big_error(krb5_context context, krb5_principal tgsprinc,
|
|
|
167778 |
+ krb5_data **out)
|
|
|
167778 |
+{
|
|
|
167778 |
+ krb5_error errpkt;
|
|
|
167778 |
+ krb5_error_code retval;
|
|
|
167778 |
+ krb5_data *scratch;
|
|
|
167778 |
+
|
|
|
167778 |
+ *out = NULL;
|
|
|
167778 |
+ memset(&errpkt, 0, sizeof(errpkt));
|
|
|
167778 |
+
|
|
|
167778 |
+ retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec);
|
|
|
167778 |
+ if (retval)
|
|
|
167778 |
+ return retval;
|
|
|
167778 |
+ errpkt.error = KRB_ERR_RESPONSE_TOO_BIG;
|
|
|
167778 |
+ errpkt.server = tgsprinc;
|
|
|
167778 |
+ errpkt.client = NULL;
|
|
|
167778 |
+ errpkt.text.length = 0;
|
|
|
167778 |
+ errpkt.text.data = 0;
|
|
|
167778 |
+ errpkt.e_data.length = 0;
|
|
|
167778 |
+ errpkt.e_data.data = 0;
|
|
|
167778 |
+ scratch = malloc(sizeof(*scratch));
|
|
|
167778 |
+ if (scratch == NULL)
|
|
|
167778 |
+ return ENOMEM;
|
|
|
167778 |
+ retval = krb5_mk_error(context, &errpkt, scratch);
|
|
|
167778 |
+ if (retval) {
|
|
|
167778 |
+ free(scratch);
|
|
|
167778 |
+ return retval;
|
|
|
167778 |
+ }
|
|
|
167778 |
+
|
|
|
167778 |
+ *out = scratch;
|
|
|
167778 |
+ return 0;
|
|
|
167778 |
+}
|
|
|
167778 |
+
|
|
|
167778 |
static void
|
|
|
167778 |
finish_dispatch(struct dispatch_state *state, krb5_error_code code,
|
|
|
167778 |
krb5_data *response)
|
|
|
167778 |
@@ -54,12 +86,17 @@ finish_dispatch(struct dispatch_state *state, krb5_error_code code,
|
|
|
167778 |
loop_respond_fn oldrespond = state->respond;
|
|
|
167778 |
void *oldarg = state->arg;
|
|
|
167778 |
kdc_realm_t *kdc_active_realm = state->active_realm;
|
|
|
167778 |
+ krb5_principal tgsprinc = NULL;
|
|
|
167778 |
+
|
|
|
167778 |
+ if (kdc_active_realm != NULL)
|
|
|
167778 |
+ tgsprinc = kdc_active_realm->realm_tgsprinc;
|
|
|
167778 |
|
|
|
167778 |
if (state->is_tcp == 0 && response &&
|
|
|
167778 |
response->length > (unsigned int)max_dgram_reply_size) {
|
|
|
167778 |
- krb5_free_data(kdc_context, response);
|
|
|
167778 |
+ krb5_free_data(state->kdc_err_context, response);
|
|
|
167778 |
response = NULL;
|
|
|
167778 |
- code = make_too_big_error(kdc_active_realm, &response);
|
|
|
167778 |
+ code = make_too_big_error(state->kdc_err_context, tgsprinc,
|
|
|
167778 |
+ &response);
|
|
|
167778 |
if (code)
|
|
|
167778 |
krb5_klog_syslog(LOG_ERR, "error constructing "
|
|
|
167778 |
"KRB_ERR_RESPONSE_TOO_BIG error: %s",
|
|
|
167778 |
@@ -201,38 +238,6 @@ dispatch(void *cb, struct sockaddr *local_saddr,
|
|
|
167778 |
finish_dispatch_cache(state, retval, response);
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
-static krb5_error_code
|
|
|
167778 |
-make_too_big_error(kdc_realm_t *kdc_active_realm, krb5_data **out)
|
|
|
167778 |
-{
|
|
|
167778 |
- krb5_error errpkt;
|
|
|
167778 |
- krb5_error_code retval;
|
|
|
167778 |
- krb5_data *scratch;
|
|
|
167778 |
-
|
|
|
167778 |
- *out = NULL;
|
|
|
167778 |
- memset(&errpkt, 0, sizeof(errpkt));
|
|
|
167778 |
-
|
|
|
167778 |
- retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
|
|
|
167778 |
- if (retval)
|
|
|
167778 |
- return retval;
|
|
|
167778 |
- errpkt.error = KRB_ERR_RESPONSE_TOO_BIG;
|
|
|
167778 |
- errpkt.server = tgs_server;
|
|
|
167778 |
- errpkt.client = NULL;
|
|
|
167778 |
- errpkt.text.length = 0;
|
|
|
167778 |
- errpkt.text.data = 0;
|
|
|
167778 |
- errpkt.e_data.length = 0;
|
|
|
167778 |
- errpkt.e_data.data = 0;
|
|
|
167778 |
- scratch = malloc(sizeof(*scratch));
|
|
|
167778 |
- if (scratch == NULL)
|
|
|
167778 |
- return ENOMEM;
|
|
|
167778 |
- retval = krb5_mk_error(kdc_context, &errpkt, scratch);
|
|
|
167778 |
- if (retval) {
|
|
|
167778 |
- free(scratch);
|
|
|
167778 |
- return retval;
|
|
|
167778 |
- }
|
|
|
167778 |
-
|
|
|
167778 |
- *out = scratch;
|
|
|
167778 |
- return 0;
|
|
|
167778 |
-}
|
|
|
167778 |
|
|
|
167778 |
krb5_context get_context(void *handle)
|
|
|
167778 |
{
|