From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 12 Mar 2015 20:36:33 +0000 (-0400)
Subject: Fix scope of kadmind ACL wildcard back-references
X-Git-Tag: krb5-1.12.4-final~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bab11e7d597635d88bb693c39ffaddfed906b594;p=thirdparty%2Fkrb5.git

Fix scope of kadmind ACL wildcard back-references

In kadm5int_acl_find_entry(), clear the wildcard back-references list
for each acl entry.  Otherwise the wildcards we process can affect
back-references for later entries.

(cherry picked from commit d3d18b8d8d7a47766fd4e9667d045035f43d90ef)
(cherry picked from commit 8e67dce9379c0f50bdccc12619fecad423aa5384)

ticket: 8183
version_fixed: 1.12.4
status: resolved
---

diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index b2aeb7daa4..9d971a9e52 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -611,8 +611,8 @@ kadm5int_acl_find_entry(kcontext, principal, dest_princ)
     wildstate_t         state;
 
     DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n"));
-    memset(&state, 0, sizeof state);
     for (entry=acl_list_head; entry; entry = entry->ae_next) {
+        memset(&state, 0, sizeof(state));
         if (entry->ae_name_bad)
             continue;
         if (!strcmp(entry->ae_name, "*")) {
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index c4b8465d8d..8b04c1e3a0 100644
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -65,6 +65,8 @@ restricted_modify  im  *         +preauth
 restricted_rename  ad  *         +preauth
 
 */*                d   *2/*1
+# The next line is a regression test for #8154; it is not used directly.
+one/*/*/five       l
 */two/*/*          d   *3/*1/*2
 */admin            a
 wctarget           a   wild/*