From: Tom Yu <tlyu@mit.edu>
Date: Fri, 17 Jan 2014 21:21:33 +0000 (-0500)
Subject: Fix krb5_copy_context
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5fda425bf4e08fb15b2e77d4dd200f41da0e1905;p=thirdparty%2Fkrb5.git

Fix krb5_copy_context

krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists.  Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs.  Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.

(back ported from commit c452644d91d57d8b05ef396a029e34d0c7a48920)

ticket: 7845 (new)
---

diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c
index 9d2c3e4918..40e68d2b8f 100644
--- a/src/lib/krb5/krb/copy_ctx.c
+++ b/src/lib/krb5/krb/copy_ctx.c
@@ -77,6 +77,12 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
     nctx->ser_ctx_count = 0;
     nctx->ser_ctx = NULL;
     nctx->prompt_types = NULL;
+    nctx->preauth_context = NULL;
+    nctx->ccselect_handles = NULL;
+    nctx->kdblog_context = NULL;
+    nctx->trace_callback = NULL;
+    nctx->trace_callback_data = NULL;
+    nctx->plugin_base_dir = NULL;
     nctx->os_context.default_ccname = NULL;
 
     memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins));
@@ -84,6 +90,7 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
     nctx->locate_fptrs = NULL;
 
     memset(&nctx->err, 0, sizeof(nctx->err));
+    memset(&nctx->plugins, 0, sizeof(nctx->plugins));
 
     ret = krb5int_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes);
     if (ret)
@@ -103,6 +110,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
     ret = krb5_get_profile(ctx, &nctx->profile);
     if (ret)
         goto errout;
+    nctx->plugin_base_dir = strdup(ctx->plugin_base_dir);
+    if (nctx->plugin_base_dir == NULL) {
+        ret = ENOMEM;
+        goto errout;
+    }
 
 errout:
     if (ret) {
diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c
index a56155f04a..8ba9f65bf8 100644
--- a/src/lib/krb5/krb/etype_list.c
+++ b/src/lib/krb5/krb/etype_list.c
@@ -49,6 +49,8 @@ krb5int_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list)
     krb5_enctype *list;
 
     *new_list = NULL;
+    if (old_list == NULL)
+        return 0;
     count = krb5int_count_etypes(old_list);
     list = malloc(sizeof(krb5_enctype) * (count + 1));
     if (list == NULL)