From nobody@FreeBSD.org  Sat Oct 20 01:18:04 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5CFE216A418
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 20 Oct 2007 01:18:04 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 2CC7513C447
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 20 Oct 2007 01:18:04 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l9K1Hl4i029325
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 20 Oct 2007 01:17:47 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l9K1Hlou029324;
	Sat, 20 Oct 2007 01:17:47 GMT
	(envelope-from nobody)
Message-Id: <200710200117.l9K1Hlou029324@www.freebsd.org>
Date: Sat, 20 Oct 2007 01:17:47 GMT
From: Nathan Whitehorn <nathanw@uchicago.edu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: gss_acquire_cred can crash if _gss_mech_oids has not been initialized
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         117349
>Category:       kern
>Synopsis:       [libgssapi] [patch] gss_acquire_cred can crash if _gss_mech_oids has not been initialized
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 20 01:20:00 UTC 2007
>Closed-Date:    Sun Dec 02 10:08:14 UTC 2007
>Last-Modified:  Sun Dec 02 10:08:14 UTC 2007
>Originator:     Nathan Whitehorn
>Release:        7.0-CURRENT
>Organization:
University of Chicago
>Environment:
FreeBSD banshee.uchicago.edu 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Mon Oct  8 14:34:11 CDT 2007     root@banshee.uchicago.edu:/usr/obj/usr/src/sys/X2100  amd64
>Description:
gss_acquire_cred() uses _gss_mech_oids to initialize an empty OID set without checking if it has been initialized. With some programs, it happens to have been initialized already. With others (e.g. dovecot), it hasn't been, causing a seg fault. The attached patch forces initialization in the event _gss_mech_oids is NULL.
>How-To-Repeat:

>Fix:
--- gss_acquire_cred.c  2007-10-19 20:12:40.000000000 -0500
+++ gss_acquire_cred.c.dist     2007-10-19 20:12:26.000000000 -0500
@@ -59,10 +59,6 @@
         * First make sure that at least one of the requested
         * mechanisms is one that we support.
         */
-
-       if (!_gss_mech_oids)
-                _gss_load_mech();
-
        if (mechs) {
                _gss_load_mech();
                for (i = 0; i < mechs->count; i++) 

>Release-Note:
>Audit-Trail:

From: Nathan Whitehorn <nwhitehorn@physics.wisc.edu>
To: bug-followup@FreeBSD.org,  nathanw@uchicago.edu
Cc:  
Subject: Re: misc/117349: gss_acquire_cred can crash if _gss_mech_oids has
 not been initialized
Date: Fri, 19 Oct 2007 20:56:02 -0500

 The patch is backwards, of course. The correct patch is:
 
 --- gss_acquire_cred.c.dist 2007-10-19 20:12:26.000000000 -0500
 +++ gss_acquire_cred.c 2007-10-19 20:12:40.000000000 -0500
 @@ -59,6 +59,10 @@
 * First make sure that at least one of the requested
 * mechanisms is one that we support.
 */
 +
 + if (!_gss_mech_oids)
 + _gss_load_mech();
 +
 if (mechs) {
 _gss_load_mech();
 for (i = 0; i < mechs->count; i++)

From: Sean McNeil <sean@mcneil.com>
To: bug-followup@FreeBSD.org, nathanw@uchicago.edu
Cc:  
Subject: Re: kern/117349: [libgssapi] [patch] gss_acquire_cred can crash if
 _gss_mech_oids has not been initialized
Date: Tue, 27 Nov 2007 22:32:53 -0800

 This is a multi-part message in MIME format.
 --------------070809070203010900060003
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 I have seen this exact issue with openldap 2.3 on HEAD/RELENG_7. Here is 
 an alternative patch to resolve this issue:
 
 --- gss_acquire_cred.c.orig	2005-12-29 06:40:20.000000000 -0800
 +++ gss_acquire_cred.c	2007-11-22 18:30:07.000000000 -0800
 @@ -59,8 +59,8 @@
  	 * First make sure that at least one of the requested
  	 * mechanisms is one that we support.
  	 */
 +	_gss_load_mech();
  	if (mechs) {
 -		_gss_load_mech();
  		for (i = 0; i < mechs->count; i++) {
  			int t;
  			gss_test_oid_set_member(minor_status,
 @@ -74,6 +74,9 @@
  			return (GSS_S_BAD_MECH);
  		}
  	}
 +	else
 +		mechs = _gss_mech_oids;
 +
  
  	if (actual_mechs) {
  		major_status = gss_create_empty_oid_set(minor_status,
 @@ -92,9 +95,6 @@
  	cred->gc_usage = cred_usage;
  	SLIST_INIT(&cred->gc_mc);
  
 -	if (mechs == GSS_C_NO_OID_SET)
 -		mechs = _gss_mech_oids;
 -
  	set.count = 1;
  	min_time = GSS_C_INDEFINITE;
  	for (i = 0; i < mechs->count; i++) {
 
 
 
 --------------070809070203010900060003
 Content-Type: text/x-patch;
  name="gss_acquire_cred.c.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="gss_acquire_cred.c.diff"
 
 --- gss_acquire_cred.c.orig	2005-12-29 06:40:20.000000000 -0800
 +++ gss_acquire_cred.c	2007-11-22 18:30:07.000000000 -0800
 @@ -59,8 +59,8 @@
  	 * First make sure that at least one of the requested
  	 * mechanisms is one that we support.
  	 */
 +	_gss_load_mech();
  	if (mechs) {
 -		_gss_load_mech();
  		for (i = 0; i < mechs->count; i++) {
  			int t;
  			gss_test_oid_set_member(minor_status,
 @@ -74,6 +74,9 @@
  			return (GSS_S_BAD_MECH);
  		}
  	}
 +	else
 +		mechs = _gss_mech_oids;
 +
  
  	if (actual_mechs) {
  		major_status = gss_create_empty_oid_set(minor_status,
 @@ -92,9 +95,6 @@
  	cred->gc_usage = cred_usage;
  	SLIST_INIT(&cred->gc_mc);
  
 -	if (mechs == GSS_C_NO_OID_SET)
 -		mechs = _gss_mech_oids;
 -
  	set.count = 1;
  	min_time = GSS_C_INDEFINITE;
  	for (i = 0; i < mechs->count; i++) {
 
 --------------070809070203010900060003--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/117349: commit references a PR
Date: Wed, 28 Nov 2007 08:50:31 +0000 (UTC)

 dfr         2007-11-28 08:50:20 UTC
 
   FreeBSD src repository
 
   Modified files:
     lib/libgssapi        gss_acquire_cred.c 
   Log:
   Make sure GSS-API mechanisms are loaded if gss_acquire_cred is called
   with a null mechanism list.
   
   PR:             misc/117349
   Submitted by:   Sean McNeil <sean at mcneil dot com>
   
   Revision  Changes    Path
   1.2       +3 -4      src/lib/libgssapi/gss_acquire_cred.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: Sean McNeil <sean@mcneil.com>
To: bug-followup@FreeBSD.org, nathanw@uchicago.edu
Cc:  
Subject: Re: kern/117349: [libgssapi] [patch] gss_acquire_cred can crash if
 _gss_mech_oids has not been initialized
Date: Wed, 28 Nov 2007 09:14:15 -0800

 This needs to be MFC'd to RELENG_7.
 
State-Changed-From-To: open->closed 
State-Changed-By: dfr 
State-Changed-When: Sun Dec 2 10:07:30 UTC 2007 
State-Changed-Why:  
Patch applied to HEAD and RELENG_7, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=117349 
>Unformatted:
