Fix scope of kadmind ACL wildcard back-references

In kadm5int_acl_find_entry(), clear the wildcard back-references list
for each acl entry.  Otherwise the wildcards we process can affect
back-references for later entries.

ticket: 8154
target_version: 1.13.2
tags: pullup

diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index a35d795dc067ca9d268382a4a5b7dd4fb16f1d23..86e136741e7309a6112a063b672d9777a021fd31 100644 (file)
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -610,8 +610,8 @@ kadm5int_acl_find_entry(kcontext, principal, dest_princ)
     wildstate_t         state;
 
     DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n"));
-    memset(&state, 0, sizeof state);
     for (entry=acl_list_head; entry; entry = entry->ae_next) {
+        memset(&state, 0, sizeof(state));
         if (entry->ae_name_bad)
             continue;
         if (!strcmp(entry->ae_name, "*")) {

diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 9ccc80b3a3d8e2a5f4e24f5fb648aaca1630262a..6f5c58981357e142a00aa765697a418a47731051 100644 (file)
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -61,6 +61,8 @@ restricted_modify  im  *         +preauth
 restricted_rename  ad  *         +preauth
 
 */*                d   *2/*1
+# The next line is a regression test for #8154; it is not used directly.
+one/*/*/five       l
 */two/*/*          d   *3/*1/*2
 */admin            a
 wctarget           a   wild/*