From: robertc <> Date: Tue, 21 Dec 2004 00:35:58 +0000 (+0000) Subject: merge in bugfix for bug 872 - NTLM locking improvements to prevent crashes X-Git-Tag: SQUID_3_0_PRE4~975 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8777d90ebe09a91147d6cba2c8149c39af07f82b;p=thirdparty%2Fsquid.git merge in bugfix for bug 872 - NTLM locking improvements to prevent crashes --- diff --git a/src/ACLChecklist.cc b/src/ACLChecklist.cc index 4bc36026cf..fe43a93cd8 100644 --- a/src/ACLChecklist.cc +++ b/src/ACLChecklist.cc @@ -1,5 +1,5 @@ /* - * $Id: ACLChecklist.cc,v 1.21 2004/12/20 16:30:32 robertc Exp $ + * $Id: ACLChecklist.cc,v 1.22 2004/12/20 17:35:58 robertc Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -61,7 +61,7 @@ ACLChecklist::authenticated() } /* get authed here */ - /* Note: this fills in auth_user_request when applicable */ + /* Note: this fills in auth_user_request when applicable (auth incomplete)*/ switch (AuthUserRequest::tryToAuthenticateAndSetAuthUser (&auth_user_request, headertype, request, conn(), src_addr)) { case AUTH_ACL_CANNOT_AUTHENTICATE: @@ -69,6 +69,12 @@ ACLChecklist::authenticated() return 0; case AUTH_AUTHENTICATED: + + if (auth_user_request) { + auth_user_request->unlock(); + auth_user_request = NULL; + } + return 1; break; @@ -220,18 +226,6 @@ ACLChecklist::checkCallback(allow_t answer) PF *callback_; void *cbdata_; debug(28, 3) ("ACLChecklist::checkCallback: %p answer=%d\n", this, answer); - /* During reconfigure, we can end up not finishing call - * sequences into the auth code */ - - if (auth_user_request) { - /* the checklist lock */ - auth_user_request->unlock(); - /* it might have been connection based */ - assert(conn().getRaw() != NULL); - conn()->auth_user_request = NULL; - conn()->auth_type = AUTH_BROKEN; - auth_user_request = NULL; - } callback_ = callback; callback = NULL; @@ -325,6 +319,21 @@ ACLChecklist::~ACLChecklist() if (extacl_entry) cbdataReferenceDone(extacl_entry); + /* During reconfigure or if authentication is used in aclCheckFast without + * first being authenticated in http_access we can end up not finishing call + * sequences into the auth code. In such case we must make sure to forget + * the authentication state completely + */ + if (auth_user_request) { + /* the checklist lock */ + auth_user_request->unlock(); + /* it might have been connection based */ + assert(conn().getRaw() != NULL); + conn()->auth_user_request = NULL; + conn()->auth_type = AUTH_BROKEN; + auth_user_request = NULL; + } + if (request) requestUnlink(request); diff --git a/src/AuthUserRequest.cc b/src/AuthUserRequest.cc index 611385afa6..50d31d5ba4 100644 --- a/src/AuthUserRequest.cc +++ b/src/AuthUserRequest.cc @@ -1,6 +1,6 @@ /* - * $Id: AuthUserRequest.cc,v 1.1 2004/08/30 03:28:56 robertc Exp $ + * $Id: AuthUserRequest.cc,v 1.2 2004/12/20 17:35:58 robertc Exp $ * * DO NOT MODIFY NEXT 2 LINES: * arch-tag: 6803fde1-d5a2-4c29-9034-1c0c9f650eb4 @@ -624,9 +624,23 @@ AuthUserRequest::tryToAuthenticateAndSetAuthUser(auth_user_request_t ** auth_use if (t && t->lastReply != AUTH_ACL_CANNOT_AUTHENTICATE && t->lastReply != AUTH_ACL_HELPER) { - if (!*auth_user_request) + if (!*auth_user_request) { *auth_user_request = t; + (*auth_user_request)->lock() + + ; + //TODO: check if needed. If there's a leak, it is not + } + + if (!request->auth_user_request) { + request->auth_user_request=t; + + request->auth_user_request->lock() + + ; + } + return t->lastReply; } diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc index 33c77928aa..308fbbb61b 100644 --- a/src/auth/ntlm/auth_ntlm.cc +++ b/src/auth/ntlm/auth_ntlm.cc @@ -1,6 +1,6 @@ /* - * $Id: auth_ntlm.cc,v 1.44 2004/12/20 16:30:40 robertc Exp $ + * $Id: auth_ntlm.cc,v 1.45 2004/12/20 17:35:58 robertc Exp $ * * DEBUG: section 29 NTLM Authenticator * AUTHOR: Robert Collins @@ -51,6 +51,8 @@ static void authenticateStateFree(authenticateStateData * r) { + r->auth_user_request->unlock(); + r->auth_user_request = NULL; cbdataFree(r); } @@ -762,6 +764,10 @@ AuthNTLMUserRequest::module_start(RH * handler, void *data) r->data = cbdataReference(data); r->auth_user_request = this; + lock() + + ; /* locking myself */ + if (server == NULL) { helperStatefulSubmit(ntlmauthenticators, NULL, authenticateNTLMHandleplaceholder, r, NULL); } else { @@ -790,11 +796,19 @@ AuthNTLMUserRequest::module_start(RH * handler, void *data) r->handler = handler; r->data = cbdataReference(data); r->auth_user_request = this; + + lock() + + ; snprintf(buf, 8192, "KK %s\n", sent_string); + /* getting rid of deferred request status */ authserver_deferred = 0; + helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, authserver); + debug(29, 9) ("authenticateNTLMstart: finished\n"); + break; default: diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc index 68e8248759..376ab44e51 100644 --- a/src/client_side_reply.cc +++ b/src/client_side_reply.cc @@ -1,6 +1,6 @@ /* - * $Id: client_side_reply.cc,v 1.78 2004/12/20 16:30:35 robertc Exp $ + * $Id: client_side_reply.cc,v 1.79 2004/12/20 17:35:58 robertc Exp $ * * DEBUG: section 88 Client-side Reply Routines * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c) @@ -1834,7 +1834,11 @@ clientReplyContext::buildMaxBodySize(HttpReply * reply) acl_size_t *l = Config.ReplyBodySize; ACLChecklist *ch; + if (http->logType == LOG_TCP_DENIED) + return; + ch = clientAclChecklistCreate(NULL, http); + ch->reply = reply; for (l = Config.ReplyBodySize; l; l = l -> next) {