From: Tom Yu <tlyu@mit.edu>
Date: Tue, 17 Aug 2004 23:57:16 +0000 (+0000)
Subject: 	* svc.c (svc_getreqset): Allocate cred and verf memory to
X-Git-Tag: krb5-1.4-beta1~142
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6ecd93648f210e43bc4214fbd626a6b93d0e6db3;p=thirdparty%2Fkrb5.git

	* svc.c (svc_getreqset): Allocate cred and verf memory to
	temporary pointers, and free the temporary pointers on exit.
	Freeing the actual cred and verf pointers can cause corruption
	because auth mechanisms can reassign the pointers.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16669 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog
index f58e800985..1e90d7fdaa 100644
--- a/src/lib/rpc/ChangeLog
+++ b/src/lib/rpc/ChangeLog
@@ -1,3 +1,10 @@
+2004-08-17  Tom Yu  <tlyu@mit.edu>
+
+	* svc.c (svc_getreqset): Allocate cred and verf memory to
+	temporary pointers, and free the temporary pointers on exit.
+	Freeing the actual cred and verf pointers can cause corruption
+	because auth mechanisms can reassign the pointers.
+
 2004-08-16  Tom Yu  <tlyu@mit.edu>
 
 	* svc_auth_gss.c (gssrpc__svcauth_gss): Add some debug messages.
diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c
index e7f3243cfa..ac69df48f1 100644
--- a/src/lib/rpc/svc.c
+++ b/src/lib/rpc/svc.c
@@ -420,10 +420,18 @@ svc_getreqset(readfds)
 	register SVCXPRT *xprt;
 	register int sock;
         bool_t no_dispatch;
+	caddr_t rawcred, rawverf, cookedcred;
 
-	msg.rm_call.cb_cred.oa_base = mem_alloc(MAX_AUTH_BYTES);
-	msg.rm_call.cb_verf.oa_base = mem_alloc(MAX_AUTH_BYTES);
-	r.rq_clntcred = mem_alloc(RQCRED_SIZE);
+	rawcred = mem_alloc(MAX_AUTH_BYTES);
+	rawverf = mem_alloc(MAX_AUTH_BYTES);
+	cookedcred = mem_alloc(RQCRED_SIZE);
+
+	if (rawcred == NULL || rawverf == NULL || cookedcred == NULL)
+		return;
+
+	msg.rm_call.cb_cred.oa_base = rawcred;
+	msg.rm_call.cb_verf.oa_base = rawverf;
+	r.rq_clntcred = cookedcred;
 
 #ifdef FD_SETSIZE
 	for (sock = 0; sock <= max_xport; sock++) {
@@ -497,7 +505,7 @@ svc_getreqset(readfds)
 		} while (stat == XPRT_MOREREQS);
 	    }
 	}
-	mem_free(msg.rm_call.cb_cred.oa_base, MAX_AUTH_BYTES);
-	mem_free(msg.rm_call.cb_verf.oa_base, MAX_AUTH_BYTES);
-	mem_free(r.rq_clntcred, RQCRED_SIZE);
+	mem_free(rawcred, MAX_AUTH_BYTES);
+	mem_free(rawverf, MAX_AUTH_BYTES);
+	mem_free(cookedcred, RQCRED_SIZE);
 }