]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c61e8c0)
Fix krb5 gss_acquire_cred_impersonate_name crash
authorGreg Hudson <ghudson@mit.edu>
Fri, 19 Sep 2014 15:35:10 +0000 (11:35 -0400)
committerGreg Hudson <ghudson@mit.edu>
Fri, 19 Sep 2014 20:32:56 +0000 (16:32 -0400)
If gss_acquire_cred_impersonate_name is called using an
impersonator_cred_handle acquired with GSS_C_ACCEPT, we could
dereference null fields of the cred handle and crash.  Fix this by
checking the impersonator_cred_handle usage and returning
GSS_S_NO_CRED if it isn't what we expect, just as we do in
init_sec_context.

Based on a patch from Solly Ross <sross@redhat.com>.

ticket: 8017 (new)
target_version: 1.13
tags: pullup

src/lib/gssapi/krb5/s4u_gss_glue.c patch | blob | blame | history

diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
index 4381a8442c4132bc34958ff7e4b7133ab8b0e23f..ff1c310bce5ee7e3247b22ad5c853170db38a282 100644 (file)
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
@@ -113,6 +113,7 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
 {
     OM_uint32 major_status;
     krb5_error_code code;
+    krb5_gss_cred_id_t imp_cred = (krb5_gss_cred_id_t)impersonator_cred_handle;
     krb5_gss_cred_id_t cred;
     krb5_context context;
 
@@ -130,6 +131,11 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
         return GSS_S_FAILURE;
     }
 
+    if (imp_cred->usage != GSS_C_INITIATE && imp_cred->usage != GSS_C_BOTH) {
+        *minor_status = 0;
+        return GSS_S_NO_CRED;
+    }
+
     *output_cred_handle = GSS_C_NO_CREDENTIAL;
     if (time_rec != NULL)
         *time_rec = 0;
@@ -148,7 +154,7 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
     }
 
     major_status = kg_impersonate_name(minor_status,
-                                       (krb5_gss_cred_id_t)impersonator_cred_handle,
+                                       imp_cred,
                                        (krb5_gss_name_t)desired_name,
                                        time_req,
                                        &cred,
@@ -158,7 +164,7 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
     if (!GSS_ERROR(major_status))
         *output_cred_handle = (gss_cred_id_t)cred;
 
-    k5_mutex_unlock(&((krb5_gss_cred_id_t)impersonator_cred_handle)->lock);
+    k5_mutex_unlock(&imp_cred->lock);
     krb5_free_context(context);
 
     return major_status;
Mirror of https://github.com/krb5/krb5.git