Package: krb5 / 1.17-6

0016-Filter-enctypes-in-gss_set_allowable_enctypes.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 16 Jul 2019 00:15:42 -0400
Subject: Filter enctypes in gss_set_allowable_enctypes()

Instead of erroring out when any invalid enctypes are present in the
caller's list, filter out the invalid ones and only error if no
enctype remains.

ticket: 8819
---
 src/lib/gssapi/krb5/set_allowable_enctypes.c | 29 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/src/lib/gssapi/krb5/set_allowable_enctypes.c b/src/lib/gssapi/krb5/set_allowable_enctypes.c
index d9fd279..a74b161 100644
--- a/src/lib/gssapi/krb5/set_allowable_enctypes.c
+++ b/src/lib/gssapi/krb5/set_allowable_enctypes.c
@@ -66,7 +66,7 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
                                    const gss_OID desired_oid,
                                    const gss_buffer_t value)
 {
-    unsigned int i;
+    unsigned int i, j;
     krb5_enctype * new_ktypes;
     OM_uint32 major_status;
     krb5_gss_cred_id_t cred;
@@ -83,14 +83,7 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
     /* verify and valildate cred handle */
     cred = (krb5_gss_cred_id_t) *cred_handle;
 
-    if (req->ktypes) {
-        for (i = 0; i < req->num_ktypes && req->ktypes[i]; i++) {
-            if (!krb5_c_valid_enctype(req->ktypes[i])) {
-                kerr = KRB5_PROG_ETYPE_NOSUPP;
-                goto error_out;
-            }
-        }
-    } else {
+    if (req->ktypes == NULL) {
         k5_mutex_lock(&cred->lock);
         if (cred->req_enctypes)
             free(cred->req_enctypes);
@@ -99,13 +92,19 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
         return GSS_S_COMPLETE;
     }
 
-    /* Copy the requested ktypes into the cred structure */
-    if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * (i + 1)))) {
-        memcpy(new_ktypes, req->ktypes, sizeof(krb5_enctype) * i);
-        new_ktypes[i] = 0;      /* "null-terminate" the list */
+    /* Copy the requested enctypes into the cred structure.  Filter out the
+     * ones we don't consider valid.  Error out if no enctypes are valid. */
+    new_ktypes = k5calloc(req->num_ktypes + 1, sizeof(*new_ktypes), &kerr);
+    if (new_ktypes == NULL)
+        goto error_out;
+    for (i = 0, j = 0; i < req->num_ktypes && req->ktypes[i]; i++) {
+        if (krb5_c_valid_enctype(req->ktypes[i]))
+            new_ktypes[j++] = req->ktypes[i];
     }
-    else {
-        kerr = ENOMEM;
+    new_ktypes[j] = 0;
+    if (j == 0) {
+        free(new_ktypes);
+        kerr = KRB5_PROG_ETYPE_NOSUPP;
         goto error_out;
     }
     k5_mutex_lock(&cred->lock);