From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 12 Mar 2015 20:36:33 +0000 (-0400)
Subject: Fix scope of kadmind ACL wildcard back-references
X-Git-Tag: krb5-1.14-alpha1~154
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d3d18b8d8d7a47766fd4e9667d045035f43d90ef;p=thirdparty%2Fkrb5.git

Fix scope of kadmind ACL wildcard back-references

In kadm5int_acl_find_entry(), clear the wildcard back-references list
for each acl entry.  Otherwise the wildcards we process can affect
back-references for later entries.

ticket: 8154
target_version: 1.13.2
tags: pullup
---

diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index a35d795dc0..86e136741e 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -610,8 +610,8 @@ kadm5int_acl_find_entry(kcontext, principal, dest_princ)
     wildstate_t         state;
 
     DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n"));
-    memset(&state, 0, sizeof state);
     for (entry=acl_list_head; entry; entry = entry->ae_next) {
+        memset(&state, 0, sizeof(state));
         if (entry->ae_name_bad)
             continue;
         if (!strcmp(entry->ae_name, "*")) {
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 9ccc80b3a3..6f5c589813 100644
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -61,6 +61,8 @@ restricted_modify  im  *         +preauth
 restricted_rename  ad  *         +preauth
 
 */*                d   *2/*1
+# The next line is a regression test for #8154; it is not used directly.
+one/*/*/five       l
 */two/*/*          d   *3/*1/*2
 */admin            a
 wctarget           a   wild/*