[krb5/f19] Pull in a couple of interop and memory leak fixes

Nalin Dahyabhai nalin at fedoraproject.org
Wed Dec 18 20:30:00 UTC 2013 

commit 727bfbead6dafdad1c3cd871e248cfcf54add86d
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Wed Dec 18 15:29:35 2013 -0500

    Pull in a couple of interop and memory leak fixes
    
    - pull in fix from master to return a NULL pointer rather than allocating
      zero bytes of memory if we read a zero-length input token (RT#7794, part
      of #1043962)
    - pull in fix from master to ignore an empty token from an acceptor if
      we've already finished authenticating (RT#7797, part of #1043962)
    - pull in fix from master to avoid a memory leak when a mechanism's
      init_sec_context function fails (RT#7803, part of #1043962)
    - pull in fix from master to avoid a memory leak in a couple of error
      cases which could occur while obtaining acceptor credentials (RT#7805,
      part of #1043962)

 krb5-master-gss_oid_leak.patch                     |   28 ++++++++++++++
 ...ster-ignore-empty-unnecessary-final-token.patch |   37 +++++++++++++++++++
 krb5-master-keytab_close.patch                     |   39 ++++++++++++++++++++
 krb5-master-no-malloc0.patch                       |   39 ++++++++++++++++++++
 krb5.spec                                          |   22 +++++++++++-
 5 files changed, 164 insertions(+), 1 deletions(-)
---
diff --git a/krb5-master-gss_oid_leak.patch b/krb5-master-gss_oid_leak.patch
new file mode 100644
index 0000000..9613823
--- /dev/null
+++ b/krb5-master-gss_oid_leak.patch
@@ -0,0 +1,28 @@
+commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a
+Author: Simo Sorce <simo at redhat.com>
+Date:   Fri Dec 13 12:00:41 2013 -0500
+
+    Fix memory leak in SPNEGO initiator
+    
+    If we eliminate a mechanism from the initiator list because
+    gss_init_sec_context fails, free the memory for that mech OID before
+    removing it from the list.
+    
+    [ghudson at mit.edu: clarified commit message]
+    
+    ticket: 7803 (new)
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 818a1b4..06cfab0 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
+ 	 * can do this with recursion.  If all mechanisms produce errors, the
+ 	 * caller should get the error from the first mech in the list.
+ 	 */
++	gssalloc_free(sc->mech_set->elements->elements);
+ 	memmove(sc->mech_set->elements, sc->mech_set->elements + 1,
+ 		--sc->mech_set->count * sizeof(*sc->mech_set->elements));
+ 	if (sc->mech_set->count == 0)
diff --git a/krb5-master-ignore-empty-unnecessary-final-token.patch b/krb5-master-ignore-empty-unnecessary-final-token.patch
new file mode 100644
index 0000000..3ebb888
--- /dev/null
+++ b/krb5-master-ignore-empty-unnecessary-final-token.patch
@@ -0,0 +1,37 @@
+commit 37af638b742dbd642eb70092e4f7781c3f69d86d
+Author: Greg Hudson <ghudson at mit.edu>
+Date:   Tue Dec 10 12:04:18 2013 -0500
+
+    Fix SPNEGO one-hop interop against old IIS
+    
+    IIS 6.0 and similar return a zero length reponse buffer in the last
+    SPNEGO packet when context initiation is performed without mutual
+    authentication.  In this case the underlying Kerberos mechanism has
+    already completed successfully on the first invocation, and SPNEGO
+    does not expect a mech response token in the answer.  If we get an
+    empty mech response token when the mech is complete during
+    negotiation, ignore it.
+    
+    [ghudson at mit.edu: small code style and commit message changes]
+    
+    ticket: 7797 (new)
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 3937662..d82934b 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ 			map_errcode(minor_status);
+ 			ret = GSS_S_DEFECTIVE_TOKEN;
+ 		}
++	} else if ((*responseToken)->length == 0 && sc->mech_complete) {
++		/* Handle old IIS servers returning empty token instead of
++		 * null tokens in the non-mutual auth case. */
++		*negState = ACCEPT_COMPLETE;
++		*tokflag = NO_TOKEN_SEND;
++		ret = GSS_S_COMPLETE;
+ 	} else if (sc->mech_complete) {
+ 		/* Reject spurious mech token. */
+ 		ret = GSS_S_DEFECTIVE_TOKEN;
diff --git a/krb5-master-keytab_close.patch b/krb5-master-keytab_close.patch
new file mode 100644
index 0000000..d020ae6
--- /dev/null
+++ b/krb5-master-keytab_close.patch
@@ -0,0 +1,39 @@
+commit decccbcb5075f8fbc28a535a9b337afc84a15dee
+Author: Greg Hudson <ghudson at mit.edu>
+Date:   Mon Dec 16 15:37:56 2013 -0500
+
+    Fix GSS krb5 acceptor acquire_cred error handling
+    
+    When acquiring acceptor creds with a specified name, if we fail to
+    open a replay cache, we leak the keytab handle.  If there is no
+    specified name and we discover that there is no content in the keytab,
+    we leak the keytab handle and return the wrong major code.  Memory
+    leak reported by Andrea Campi.
+    
+    ticket: 7805
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
+index 0efcad4..9547207 100644
+--- a/src/lib/gssapi/krb5/acquire_cred.c
++++ b/src/lib/gssapi/krb5/acquire_cred.c
+@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context,
+         code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
+                                       &cred->rcache);
+         if (code) {
++            krb5_kt_close(context, kt);
+             *minor_status = code;
+             return GSS_S_FAILURE;
+         }
+@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context,
+         /* Make sure we have a keytab with keys in it. */
+         code = krb5_kt_have_content(context, kt);
+         if (code) {
++            krb5_kt_close(context, kt);
+             *minor_status = code;
+-            return GSS_S_FAILURE;
++            return GSS_S_CRED_UNAVAIL;
+         }
+     }
+ 
diff --git a/krb5-master-no-malloc0.patch b/krb5-master-no-malloc0.patch
new file mode 100644
index 0000000..e5b0e63
--- /dev/null
+++ b/krb5-master-no-malloc0.patch
@@ -0,0 +1,39 @@
+commit 13fd26e1863c79f616653f6a10a58c01f65fceff
+Author: Greg Hudson <ghudson at mit.edu>
+Date:   Fri Dec 6 18:56:56 2013 -0500
+
+    Avoid malloc(0) in SPNEGO get_input_token
+    
+    If we read a zero-length token in spnego_mech.c's get_input_token(),
+    set the value pointer to NULL instead of calling malloc(0).
+    
+    ticket: 7794 (new)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 24c3440..3937662 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length)
+ 		return (NULL);
+ 
+ 	input_token->length = len;
+-	input_token->value = gssalloc_malloc(input_token->length);
++	if (input_token->length > 0) {
++		input_token->value = gssalloc_malloc(input_token->length);
++		if (input_token->value == NULL) {
++			free(input_token);
++			return (NULL);
++		}
+ 
+-	if (input_token->value == NULL) {
+-		free(input_token);
+-		return (NULL);
++		memcpy(input_token->value, *buff_in, input_token->length);
++	} else {
++		input_token->value = NULL;
+ 	}
+-
+-	(void) memcpy(input_token->value, *buff_in, input_token->length);
+ 	*buff_in += input_token->length;
+ 	return (input_token);
+ }
diff --git a/krb5.spec b/krb5.spec
index 7ad064c..0dc7597 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -32,7 +32,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.3
-Release: 14%{?dist}
+Release: 15%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -103,6 +103,10 @@ Patch138: krb5-1.11.3-gss-ccache-import.patch
 Patch139: krb5-CVE-2013-1418.patch
 Patch140: krb5-CVE-2013-1417.patch
 Patch141: krb5-1.11.3-client-loop.patch
+Patch142: krb5-master-no-malloc0.patch
+Patch143: krb5-master-ignore-empty-unnecessary-final-token.patch
+Patch144: krb5-master-gss_oid_leak.patch
+Patch145: krb5-master-keytab_close.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -340,6 +344,10 @@ ln -s NOTICE LICENSE
 %patch139 -p1 -b .CVE-2013-1418
 %patch140 -p1 -b .CVE-2013-1417
 %patch141 -p1 -b .client-loop
+%patch142 -p1 -b .no-malloc0
+%patch143 -p1 -b .ignore-empty-unnecessary-final-token
+%patch144 -p1 -b .gss_oid_leak
+%patch145 -p1 -b .keytab_close
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -934,6 +942,18 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Wed Dec 18 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-15
+- pull in fix from master to return a NULL pointer rather than allocating
+  zero bytes of memory if we read a zero-length input token (RT#7794, part
+  of #1043962)
+- pull in fix from master to ignore an empty token from an acceptor if
+  we've already finished authenticating (RT#7797, part of #1043962)
+- pull in fix from master to avoid a memory leak when a mechanism's
+  init_sec_context function fails (RT#7803, part of #1043962)
+- pull in fix from master to avoid a memory leak in a couple of error
+  cases which could occur while obtaining acceptor credentials (RT#7805,
+  part of #1043962)
+
 * Tue Dec 17 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-14
 - backport additional changes to libkrad to make it function more like
   the version in upstream 1.12, and a few things in the OTP plugin as well

More information about the scm-commits mailing list