Fix krb5_copy_context

krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists.  Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs.  Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.

(back ported from commit c452644d91d57d8b05ef396a029e34d0c7a48920)

ticket: 7845 (new)

diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c
index 9d2c3e4918f2863776a693832eeeff9a523cfe7b..40e68d2b8f12597b6ac6998b9617ab5a83348897 100644 (file)
--- a/src/lib/krb5/krb/copy_ctx.c
+++ b/src/lib/krb5/krb/copy_ctx.c
@@ -77,6 +77,12 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
     nctx->ser_ctx_count = 0;
     nctx->ser_ctx = NULL;
     nctx->prompt_types = NULL;
+    nctx->preauth_context = NULL;
+    nctx->ccselect_handles = NULL;
+    nctx->kdblog_context = NULL;
+    nctx->trace_callback = NULL;
+    nctx->trace_callback_data = NULL;
+    nctx->plugin_base_dir = NULL;
     nctx->os_context.default_ccname = NULL;
 
     memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins));
@@ -84,6 +90,7 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
     nctx->locate_fptrs = NULL;
 
     memset(&nctx->err, 0, sizeof(nctx->err));
+    memset(&nctx->plugins, 0, sizeof(nctx->plugins));
 
     ret = krb5int_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes);
     if (ret)
@@ -103,6 +110,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
     ret = krb5_get_profile(ctx, &nctx->profile);
     if (ret)
         goto errout;
+    nctx->plugin_base_dir = strdup(ctx->plugin_base_dir);
+    if (nctx->plugin_base_dir == NULL) {
+        ret = ENOMEM;
+        goto errout;
+    }
 
 errout:
     if (ret) {

diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c
index a56155f04a1cf0b2ed906a333484e83f690f7ab9..8ba9f65bf8b7534a892431ebe62b1d3cf765db66 100644 (file)
--- a/src/lib/krb5/krb/etype_list.c
+++ b/src/lib/krb5/krb/etype_list.c
@@ -49,6 +49,8 @@ krb5int_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list)
     krb5_enctype *list;
 
     *new_list = NULL;
+    if (old_list == NULL)
+        return 0;
     count = krb5int_count_etypes(old_list);
     list = malloc(sizeof(krb5_enctype) * (count + 1));
     if (list == NULL)