s3-gse: Don't release the mech OID from gss_accept_security_context

This is constant data according to the man pages I find for this
fucntion, and causes a segfault to free() when linked to Heimdal.  I
am advised that while it is constant for gss_mech_krb5, it may not be
for other mechanisms, so an assert will ensure this is dealt with by
the programmer who extends this code in future.

Andrew Bartlett

diff --git a/source3/configure.in b/source3/configure.in
index 883f0b1df07fbbfc4156dbc9ac3cd2067c20a617..a463aa910d1e1dc464c4b0c3311c1993128a6887 100644 (file)
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3870,6 +3870,7 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(gss_oid_equal, $KRB5_LIBS)
 
   # MIT krb5 1.8 does not expose this call (yet)
   AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 42e9c942a93d95664a44a62017d2eab473a3d84f..22b940a1f3860d0ef5420181b31c1398e55073ba 100644 (file)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -85,6 +85,24 @@ struct gse_context {
        bool authenticated;
 };
 
+#ifndef HAVE_GSS_OID_EQUAL
+
+static bool gss_oid_equal(const gss_OID o1, const gss_OID o2)
+{
+       if (o1 == o2) {
+               return true;
+       }
+       if ((o1 == NULL && o2 != NULL) || (o1 != NULL && o2 == NULL)) {
+               return false;
+       }
+       if (o1->length != o2->length) {
+               return false;
+       }
+       return memcmp(o1->elements, o2->elements, o1->length) == false;
+}
+
+#endif
+
 /* free non talloc dependent contexts */
 static int gse_context_destructor(void *ptr)
 {
@@ -125,10 +143,19 @@ static int gse_context_destructor(void *ptr)
                gss_maj = gss_release_cred(&gss_min,
                                           &gse_ctx->delegated_creds);
        }
-       if (gse_ctx->ret_mech) {
-               gss_maj = gss_release_oid(&gss_min,
-                                         &gse_ctx->ret_mech);
-       }
+
+       /* MIT and Heimdal differ as to if you can call
+        * gss_release_oid() on this OID, generated by
+        * gss_{accept,init}_sec_context().  However, as long as the
+        * oid is gss_mech_krb5 (which it always is at the moment),
+        * then this is a moot point, as both declare this particular
+        * OID static, and so no memory is lost.  This assert is in
+        * place to ensure that the programmer who wishes to extend
+        * this code to EAP or other GSS mechanisms determines an
+        * implementation-dependent way of releasing any dynamically
+        * allocated OID */
+       SMB_ASSERT(gss_oid_equal(&gse_ctx->gss_mech, GSS_C_NO_OID) || gss_oid_equal(&gse_ctx->gss_mech, gss_mech_krb5));
+
        return 0;
 }
 

diff --git a/source3/wscript b/source3/wscript
index 6081ac9d4da2b43ebd244af02f4bd405ce5bbb31..cdafc1683acaa2b983225fd10042518f16f6a7c9 100644 (file)
--- a/source3/wscript
+++ b/source3/wscript
@@ -632,7 +632,7 @@ msg.msg_acctrightslen = sizeof(fd);
         if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \
            conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'):
             have_gssapi=True
-        conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute', 'gssapi gssapi_krb5 krb5')
+        conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal', 'gssapi gssapi_krb5 krb5')
         conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
         conf.CHECK_FUNCS('''
 krb5_set_real_time krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes

diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index f711fe7f2860bb70156ea4ee49ffb38a7ebedc3a..f96c683baf6c9d8e9793a7d5848cbea1519247be 100644 (file)
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -82,6 +82,7 @@ conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)
 conf.define('HAVE_GSS_DISPLAY_STATUS', 1)
 conf.define('HAVE_GSS_WRAP_IOV', 1)
 conf.define('HAVE_GSS_KRB5_IMPORT_CRED', 1)
+conf.define('HAVE_GSS_OID_EQUAL', 1)
 conf.define('HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT', 1)
 conf.define('HAVE_LIBGSSAPI', 1)
 conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)