diff --git a/krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif b/krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif new file mode 100644 index 0000000..0a98d4e --- /dev/null +++ b/krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif @@ -0,0 +1,21 @@ +--- src/lib/rpc/svc.c ++++ src/lib/rpc/svc.c 2006/12/05 10:03:35 +@@ -437,6 +437,8 @@ + #endif + } + ++extern struct svc_auth_ops svc_auth_gss_ops; ++ + static void + svc_do_xprt(SVCXPRT *xprt) + { +@@ -518,6 +520,9 @@ + if ((stat = SVC_STAT(xprt)) == XPRT_DIED){ + SVC_DESTROY(xprt); + break; ++ } else if ((xprt->xp_auth != NULL) && ++ (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) { ++ xprt->xp_auth = NULL; + } + } while (stat == XPRT_MOREREQS); + diff --git a/krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif b/krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif new file mode 100644 index 0000000..5ec5d90 --- /dev/null +++ b/krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif @@ -0,0 +1,1530 @@ +--- src/kadmin/server/ovsec_kadmd.c ++++ src/kadmin/server/ovsec_kadmd.c 2006/12/05 10:48:20 +@@ -990,6 +990,11 @@ + int i; + const char *procname; + ++ client.length = 0; ++ client.value = NULL; ++ server.length = 0; ++ server.value = NULL; ++ + (void) gss_display_name(&minor, client_name, &client, &gss_type); + (void) gss_display_name(&minor, server_name, &server, &gss_type); + if (client.value == NULL) +--- src/lib/gssapi/mechglue/g_accept_sec_context.c ++++ src/lib/gssapi/mechglue/g_accept_sec_context.c 2006/12/05 11:45:31 +@@ -33,6 +33,58 @@ + #include + #include + ++static OM_uint32 ++val_acc_sec_ctx_args( ++ OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_cred_id_t verifier_cred_handle, ++ gss_buffer_t input_token_buffer, ++ gss_channel_bindings_t input_chan_bindings, ++ gss_name_t *src_name, ++ gss_OID *mech_type, ++ gss_buffer_t output_token, ++ OM_uint32 *ret_flags, ++ OM_uint32 *time_rec, ++ gss_cred_id_t *d_cred) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (src_name != NULL) ++ *src_name = GSS_C_NO_NAME; ++ ++ if (mech_type != NULL) ++ *mech_type = GSS_C_NO_OID; ++ ++ if (output_token != GSS_C_NO_BUFFER) { ++ output_token->length = 0; ++ output_token->value = NULL; ++ } ++ ++ if (d_cred != NULL) ++ *d_cred = GSS_C_NO_CREDENTIAL; ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (context_handle == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (input_token_buffer == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_READ); ++ ++ if (output_token == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_accept_sec_context (minor_status, + context_handle, +@@ -70,25 +122,20 @@ + gss_OID token_mech_type = &token_mech_type_desc; + gss_mechanism mech; + +- /* check parameters first */ +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- +- if (context_handle == NULL || output_token == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- +- /* clear optional fields */ +- output_token->value = NULL; +- output_token->length = 0; +- if (src_name) +- *src_name = NULL; +- +- if (mech_type) +- *mech_type = NULL; ++ status = val_acc_sec_ctx_args(minor_status, ++ context_handle, ++ verifier_cred_handle, ++ input_token_buffer, ++ input_chan_bindings, ++ src_name, ++ mech_type, ++ output_token, ++ ret_flags, ++ time_rec, ++ d_cred); ++ if (status != GSS_S_COMPLETE) ++ return (status); + +- if (d_cred) +- *d_cred = NULL; + /* + * if context_handle is GSS_C_NO_CONTEXT, allocate a union context + * descriptor to hold the mech type information as well as the +--- src/lib/gssapi/mechglue/g_acquire_cred.c ++++ src/lib/gssapi/mechglue/g_acquire_cred.c 2006/12/05 11:21:11 +@@ -71,6 +71,43 @@ + return actual_mechs; + } + ++static OM_uint32 ++val_acq_cred_args( ++ OM_uint32 *minor_status, ++ gss_name_t desired_name, ++ OM_uint32 time_req, ++ gss_OID_set desired_mechs, ++ int cred_usage, ++ gss_cred_id_t *output_cred_handle, ++ gss_OID_set *actual_mechs, ++ OM_uint32 *time_rec) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (output_cred_handle != NULL) ++ *output_cred_handle = GSS_C_NO_CREDENTIAL; ++ ++ if (actual_mechs != NULL) ++ *actual_mechs = GSS_C_NULL_OID_SET; ++ ++ if (time_rec != NULL) ++ *time_rec = 0; ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (output_cred_handle == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ return (GSS_S_COMPLETE); ++} ++ + + OM_uint32 KRB5_CALLCONV + gss_acquire_cred(minor_status, +@@ -101,22 +138,19 @@ + int i; + gss_union_cred_t creds; + +- /* start by checking parameters */ +- if (!minor_status) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- +- if (!output_cred_handle) +- return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED); +- +- *output_cred_handle = GSS_C_NO_CREDENTIAL; +- +- /* Set output parameters to NULL for now */ +- if (actual_mechs) +- *actual_mechs = GSS_C_NULL_OID_SET; ++ major = val_acq_cred_args(minor_status, ++ desired_name, ++ time_req, ++ desired_mechs, ++ cred_usage, ++ output_cred_handle, ++ actual_mechs, ++ time_rec); ++ if (major != GSS_S_COMPLETE) ++ return (major); + +- if (time_rec) +- *time_rec = 0; ++ /* Initial value needed below. */ ++ major = GSS_S_FAILURE; + + /* + * if desired_mechs equals GSS_C_NULL_OID_SET, then pick an +@@ -208,6 +242,52 @@ + return (GSS_S_COMPLETE); + } + ++static OM_uint32 ++val_add_cred_args( ++ OM_uint32 *minor_status, ++ gss_cred_id_t input_cred_handle, ++ gss_name_t desired_name, ++ gss_OID desired_mech, ++ gss_cred_usage_t cred_usage, ++ OM_uint32 initiator_time_req, ++ OM_uint32 acceptor_time_req, ++ gss_cred_id_t *output_cred_handle, ++ gss_OID_set *actual_mechs, ++ OM_uint32 *initiator_time_rec, ++ OM_uint32 *acceptor_time_rec) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (output_cred_handle != NULL) ++ *output_cred_handle = GSS_C_NO_CREDENTIAL; ++ ++ if (actual_mechs != NULL) ++ *actual_mechs = GSS_C_NO_OID_SET; ++ ++ if (acceptor_time_rec != NULL) ++ *acceptor_time_rec = 0; ++ ++ if (initiator_time_rec != NULL) ++ *initiator_time_rec = 0; ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (input_cred_handle == GSS_C_NO_CREDENTIAL && ++ output_cred_handle == NULL) ++ ++ return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + /* V2 KRB5_CALLCONV */ + OM_uint32 KRB5_CALLCONV + gss_add_cred(minor_status, input_cred_handle, +@@ -238,26 +318,19 @@ + gss_OID new_mechs_array = NULL; + gss_cred_id_t * new_cred_array = NULL; + +- /* check input parameters */ +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- +- if (input_cred_handle == GSS_C_NO_CREDENTIAL && +- output_cred_handle == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED); +- +- if (output_cred_handle) +- *output_cred_handle = GSS_C_NO_CREDENTIAL; +- +- if (actual_mechs) +- *actual_mechs = NULL; +- +- if (acceptor_time_rec) +- *acceptor_time_rec = 0; +- +- if (initiator_time_rec) +- *initiator_time_rec = 0; ++ status = val_add_cred_args(minor_status, ++ input_cred_handle, ++ desired_name, ++ desired_mech, ++ cred_usage, ++ initiator_time_req, ++ acceptor_time_req, ++ output_cred_handle, ++ actual_mechs, ++ initiator_time_rec, ++ acceptor_time_rec); ++ if (status != GSS_S_COMPLETE) ++ return (status); + + mech = gssint_get_mechanism(desired_mech); + if (!mech) +--- src/lib/gssapi/mechglue/g_canon_name.c ++++ src/lib/gssapi/mechglue/g_canon_name.c 2006/12/05 10:59:33 +@@ -25,6 +25,34 @@ + #include + #include + ++static OM_uint32 ++val_canon_name_args( ++ OM_uint32 *minor_status, ++ const gss_name_t input_name, ++ const gss_OID mech_type, ++ gss_name_t *output_name) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (output_name != NULL) ++ *output_name = GSS_C_NO_NAME; ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (input_name == GSS_C_NO_NAME || mech_type == GSS_C_NULL_OID) ++ return (GSS_S_CALL_INACCESSIBLE_READ); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_canonicalize_name(minor_status, + input_name, +@@ -38,17 +66,15 @@ + gss_union_name_t in_union, out_union = NULL, dest_union = NULL; + OM_uint32 major_status = GSS_S_FAILURE; + +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- +- *minor_status = 0; +- +- if (output_name) +- *output_name = 0; ++ major_status = val_canon_name_args(minor_status, ++ input_name, ++ mech_type, ++ output_name); ++ if (major_status != GSS_S_COMPLETE) ++ return (major_status); + +- /* check the input parameters */ +- if (input_name == NULL || mech_type == GSS_C_NULL_OID) +- return (GSS_S_CALL_INACCESSIBLE_READ); ++ /* Initial value needed below. */ ++ major_status = GSS_S_FAILURE; + + in_union = (gss_union_name_t)input_name; + /* +--- src/lib/gssapi/mechglue/g_compare_name.c ++++ src/lib/gssapi/mechglue/g_compare_name.c 2006/12/05 12:40:50 +@@ -33,6 +33,31 @@ + #endif + #include + ++static OM_uint32 ++val_comp_name_args( ++ OM_uint32 *minor_status, ++ gss_name_t name1, ++ gss_name_t name2, ++ int *name_equal) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ /* Validate arguments. */ ++ ++ if (name1 == GSS_C_NO_NAME || name2 == GSS_C_NO_NAME) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); ++ ++ if (name_equal == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_compare_name (minor_status, + name1, +@@ -50,15 +75,10 @@ + gss_mechanism mech; + gss_name_t internal_name; + +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- +- if (name1 == 0 || name2 == 0) +- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); +- +- if (name_equal == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ major_status = val_comp_name_args(minor_status, ++ name1, name2, name_equal); ++ if (major_status != GSS_S_COMPLETE) ++ return (major_status); + + union_name1 = (gss_union_name_t) name1; + union_name2 = (gss_union_name_t) name2; +--- src/lib/gssapi/mechglue/g_delete_sec_context.c ++++ src/lib/gssapi/mechglue/g_delete_sec_context.c 2006/12/05 11:49:10 +@@ -32,6 +32,34 @@ + #include + #endif + ++static OM_uint32 ++val_del_sec_ctx_args( ++ OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_buffer_t output_token) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (output_token != GSS_C_NO_BUFFER) { ++ output_token->length = 0; ++ output_token->value = NULL; ++ } ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CONTEXT); ++ ++ return (GSS_S_COMPLETE); ++} ++ + OM_uint32 KRB5_CALLCONV + gss_delete_sec_context (minor_status, + context_handle, +@@ -46,17 +74,9 @@ + gss_union_ctx_id_t ctx; + gss_mechanism mech; + +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- +- if (output_token != GSS_C_NO_BUFFER) { +- output_token->length = 0; +- output_token->value = NULL; +- } +- +- /* if the context_handle is Null, return NO_CONTEXT error */ +- if(context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) +- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); ++ status = val_del_sec_ctx_args(minor_status, context_handle, output_token); ++ if (status != GSS_S_COMPLETE) ++ return (status); + + /* + * select the approprate underlying mechanism routine and +--- src/lib/gssapi/mechglue/g_dsp_name.c ++++ src/lib/gssapi/mechglue/g_dsp_name.c 2006/12/05 11:22:35 +@@ -34,6 +34,42 @@ + #endif + #include + ++static OM_uint32 ++val_dsp_name_args( ++ OM_uint32 *minor_status, ++ gss_name_t input_name, ++ gss_buffer_t output_name_buffer, ++ gss_OID *output_name_type) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (output_name_buffer != GSS_C_NO_BUFFER) { ++ output_name_buffer->length = 0; ++ output_name_buffer->value = NULL; ++ } ++ ++ if (output_name_type != NULL) ++ *output_name_type = GSS_C_NO_OID; ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (output_name_buffer == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (input_name == GSS_C_NO_NAME) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_display_name (minor_status, + input_name, +@@ -49,18 +85,10 @@ + OM_uint32 major_status; + gss_union_name_t union_name; + +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- +- if (input_name == 0) +- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); +- +- if (output_name_buffer == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- +- if (output_name_type) +- *output_name_type = NULL; ++ major_status = val_dsp_name_args(minor_status, input_name, ++ output_name_buffer, output_name_type); ++ if (major_status != GSS_S_COMPLETE) ++ return (major_status); + + union_name = (gss_union_name_t) input_name; + +--- src/lib/gssapi/mechglue/g_dsp_status.c ++++ src/lib/gssapi/mechglue/g_dsp_status.c 2006/12/05 11:29:19 +@@ -54,17 +54,19 @@ + gss_OID mech_type = (gss_OID) req_mech_type; + gss_mechanism mech; + +- /* check the input parameters */ +- if (!minor_status) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ if (minor_status != NULL) ++ *minor_status = 0; + +- *minor_status = 0; ++ if (status_string != GSS_C_NO_BUFFER) { ++ status_string->length = 0; ++ status_string->value = NULL; ++ } + +- if (!message_context || status_string == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ if (minor_status == NULL || ++ message_context == NULL || ++ status_string == GSS_C_NO_BUFFER) + +- status_string->length = 0; +- status_string->value = NULL; ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); + + /* we handle major status codes, and the mechs do the minor */ + if (status_type == GSS_C_GSS_CODE) +--- src/lib/gssapi/mechglue/g_dup_name.c ++++ src/lib/gssapi/mechglue/g_dup_name.c 2006/12/05 11:27:38 +@@ -19,6 +19,37 @@ + #include + #include + ++static OM_uint32 ++val_dup_name_args( ++ OM_uint32 *minor_status, ++ const gss_name_t src_name, ++ gss_name_t *dest_name) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (dest_name != NULL) ++ *dest_name = GSS_C_NO_NAME; ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ /* if output_name is NULL, simply return */ ++ if (dest_name == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (src_name == GSS_C_NO_NAME) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_duplicate_name(minor_status, + src_name, +@@ -31,19 +62,9 @@ + OM_uint32 major_status = GSS_S_FAILURE; + + +- if (!minor_status) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- +- *minor_status = 0; +- +- /* if output_name is NULL, simply return */ +- if (dest_name == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_BAD_NAME); +- +- *dest_name = 0; +- +- if (src_name == NULL) +- return (GSS_S_CALL_INACCESSIBLE_READ); ++ major_status = val_dup_name_args(minor_status, src_name, dest_name); ++ if (major_status != GSS_S_COMPLETE) ++ return (major_status); + + src_union = (gss_union_name_t)src_name; + +--- src/lib/gssapi/mechglue/g_export_name.c ++++ src/lib/gssapi/mechglue/g_export_name.c 2006/12/05 11:14:26 +@@ -29,19 +29,22 @@ + { + gss_union_name_t union_name; + ++ /* Initialize outputs. */ + +- if (minor_status) ++ if (minor_status != NULL) + *minor_status = 0; + +- /* check out parameter */ +- if (!exported_name) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ if (exported_name != GSS_C_NO_BUFFER) { ++ exported_name->value = NULL; ++ exported_name->length = 0; ++ } ++ ++ /* Validate arguments. */ + +- exported_name->value = NULL; +- exported_name->length = 0; ++ if (minor_status == NULL || exported_name == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); + +- /* check input parameter */ +- if (!input_name) ++ if (input_name == GSS_C_NO_NAME) + return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); + + union_name = (gss_union_name_t)input_name; +--- src/lib/gssapi/mechglue/g_exp_sec_context.c ++++ src/lib/gssapi/mechglue/g_exp_sec_context.c 2006/12/05 10:57:19 +@@ -34,6 +34,38 @@ + #endif + #include + ++static OM_uint32 ++val_exp_sec_ctx_args( ++ OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_buffer_t interprocess_token) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (interprocess_token != GSS_C_NO_BUFFER) { ++ interprocess_token->length = 0; ++ interprocess_token->value = NULL; ++ } ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); ++ ++ if (interprocess_token == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_export_sec_context(minor_status, + context_handle, +@@ -51,15 +83,11 @@ + gss_buffer_desc token; + char *buf; + +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- +- if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) +- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); + +- if (interprocess_token == NULL) +- return (GSS_S_CALL_INACCESSIBLE_READ); ++ status = val_exp_sec_ctx_args(minor_status, ++ context_handle, interprocess_token); ++ if (status != GSS_S_COMPLETE) ++ return (status); + + /* + * select the approprate underlying mechanism routine and +--- src/lib/gssapi/mechglue/g_imp_name.c ++++ src/lib/gssapi/mechglue/g_imp_name.c 2006/12/05 12:39:46 +@@ -38,6 +38,40 @@ + /* local function to import GSS_C_EXPORT_NAME names */ + static OM_uint32 importExportName(OM_uint32 *, gss_union_name_t); + ++static OM_uint32 ++val_imp_name_args( ++ OM_uint32 *minor_status, ++ gss_buffer_t input_name_buffer, ++ gss_OID input_name_type, ++ gss_name_t *output_name) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (output_name != NULL) ++ *output_name = GSS_C_NO_NAME; ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (output_name == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (input_name_buffer == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); ++ ++ if (GSS_EMPTY_BUFFER(input_name_buffer)) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_import_name(minor_status, + input_name_buffer, +@@ -53,22 +87,11 @@ + gss_union_name_t union_name; + OM_uint32 tmp, major_status = GSS_S_FAILURE; + +- /* check output parameters */ +- if (!minor_status) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- +- *minor_status = 0; +- +- if (output_name == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- +- *output_name = 0; +- +- if (input_name_buffer == GSS_C_NO_BUFFER) +- return (GSS_S_BAD_NAME); +- +- if (GSS_EMPTY_BUFFER(input_name_buffer)) +- return (GSS_S_BAD_NAME); ++ major_status = val_imp_name_args(minor_status, ++ input_name_buffer, input_name_type, ++ output_name); ++ if (major_status != GSS_S_COMPLETE) ++ return (major_status); + + /* + * First create the union name struct that will hold the external +--- src/lib/gssapi/mechglue/g_imp_sec_context.c ++++ src/lib/gssapi/mechglue/g_imp_sec_context.c 2006/12/05 11:16:45 +@@ -34,6 +34,38 @@ + #endif + #include + ++static OM_uint32 ++val_imp_sec_ctx_args( ++ OM_uint32 *minor_status, ++ gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle) ++{ ++ ++ /* Initialize outputs. */ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (context_handle != NULL) ++ *context_handle = GSS_C_NO_CONTEXT; ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (context_handle == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (interprocess_token == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_DEFECTIVE_TOKEN); ++ ++ if (GSS_EMPTY_BUFFER(interprocess_token)) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_DEFECTIVE_TOKEN); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_import_sec_context(minor_status, + interprocess_token, +@@ -51,17 +83,12 @@ + gss_buffer_desc token; + gss_mechanism mech; + +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- +- if (context_handle == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CONTEXT); +- *context_handle = GSS_C_NO_CONTEXT; +- +- if (GSS_EMPTY_BUFFER(interprocess_token)) +- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_DEFECTIVE_TOKEN); ++ status = val_imp_sec_ctx_args(minor_status, ++ interprocess_token, context_handle); ++ if (status != GSS_S_COMPLETE) ++ return (status); + ++ /* Initial value needed below. */ + status = GSS_S_FAILURE; + + ctx = (gss_union_ctx_id_t) malloc(sizeof(gss_union_ctx_id_desc)); +--- src/lib/gssapi/mechglue/g_initialize.c ++++ src/lib/gssapi/mechglue/g_initialize.c 2006/12/05 11:05:13 +@@ -142,18 +142,21 @@ + int i, j; + gss_OID curItem; + +- if (!minorStatus) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- if (gssint_initialize_library()) +- return GSS_S_FAILURE; ++ /* Initialize outputs. */ + +- *minorStatus = 0; ++ if (minorStatus != NULL) ++ *minorStatus = 0; + ++ if (mechSet != NULL) ++ *mechSet = GSS_C_NO_OID_SET; + +- /* check output parameter */ +- if (mechSet == NULL) ++ /* Validate arguments. */ ++ if (minorStatus == NULL || mechSet == NULL) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + ++ if (gssint_initialize_library()) ++ return GSS_S_FAILURE; ++ + if (build_mechSet()) + return GSS_S_FAILURE; + +--- src/lib/gssapi/mechglue/g_init_sec_context.c ++++ src/lib/gssapi/mechglue/g_init_sec_context.c 2006/12/05 12:37:22 +@@ -33,6 +33,54 @@ + #endif + #include + ++static OM_uint32 ++val_init_sec_ctx_args( ++ OM_uint32 *minor_status, ++ gss_cred_id_t claimant_cred_handle, ++ gss_ctx_id_t *context_handle, ++ gss_name_t target_name, ++ gss_OID req_mech_type, ++ OM_uint32 req_flags, ++ OM_uint32 time_req, ++ gss_channel_bindings_t input_chan_bindings, ++ gss_buffer_t input_token, ++ gss_OID *actual_mech_type, ++ gss_buffer_t output_token, ++ OM_uint32 *ret_flags, ++ OM_uint32 *time_rec) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (actual_mech_type != NULL) ++ *actual_mech_type = GSS_C_NO_OID; ++ ++ if (output_token != GSS_C_NO_BUFFER) { ++ output_token->length = 0; ++ output_token->value = NULL; ++ } ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (context_handle == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CONTEXT); ++ ++ if (target_name == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); ++ ++ if (output_token == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_init_sec_context (minor_status, + claimant_cred_handle, +@@ -72,30 +120,21 @@ + gss_mechanism mech; + gss_cred_id_t input_cred_handle; + +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- output_token->length = 0; +- output_token->value = NULL; +- +- /* clear output values */ +- if (actual_mech_type) +- *actual_mech_type = NULL; +- +- if (context_handle == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CONTEXT); +- +- union_name = (gss_union_name_t) target_name; +- +- if (target_name == NULL) +- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); +- +- if (output_token == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- +- output_token->value = NULL; +- output_token->length = 0; +- ++ status = val_init_sec_ctx_args(minor_status, ++ claimant_cred_handle, ++ context_handle, ++ target_name, ++ req_mech_type, ++ req_flags, ++ time_req, ++ input_chan_bindings, ++ input_token, ++ actual_mech_type, ++ output_token, ++ ret_flags, ++ time_rec); ++ if (status != GSS_S_COMPLETE) ++ return (status); + + if (req_mech_type) + mech_type = (gss_OID)req_mech_type; +--- src/lib/gssapi/mechglue/g_inq_context.c ++++ src/lib/gssapi/mechglue/g_inq_context.c 2006/12/05 11:43:43 +@@ -31,6 +31,45 @@ + #include + #endif + ++static OM_uint32 ++val_inq_ctx_args( ++ OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, ++ gss_name_t *src_name, ++ gss_name_t *targ_name, ++ OM_uint32 *lifetime_rec, ++ gss_OID *mech_type, ++ OM_uint32 *ctx_flags, ++ int *locally_initiated, ++ int *open) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (src_name != NULL) ++ *src_name = GSS_C_NO_NAME; ++ ++ if (targ_name != NULL) ++ *targ_name = GSS_C_NO_NAME; ++ ++ if (mech_type != NULL) ++ *mech_type = GSS_C_NO_OID; ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (context_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + /* Last argument new for V2 */ + OM_uint32 KRB5_CALLCONV + gss_inquire_context( +@@ -61,24 +100,14 @@ + OM_uint32 status, temp_minor; + gss_name_t localTargName = NULL, localSourceName = NULL; + +- if (!minor_status) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- +- *minor_status = 0; +- +- /* if the context_handle is Null, return NO_CONTEXT error */ +- if (context_handle == GSS_C_NO_CONTEXT) +- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); +- +- /* set all output value to NULL */ +- if (src_name) +- *src_name = NULL; +- +- if (targ_name) +- *targ_name = NULL; +- +- if (mech_type) +- *mech_type = NULL; ++ status = val_inq_ctx_args(minor_status, ++ context_handle, ++ src_name, targ_name, ++ lifetime_rec, ++ mech_type, ctx_flags, ++ locally_initiated, open); ++ if (status != GSS_S_COMPLETE) ++ return (status); + + /* + * select the approprate underlying mechanism routine and +--- src/lib/gssapi/mechglue/g_inq_cred.c ++++ src/lib/gssapi/mechglue/g_inq_cred.c 2006/12/05 12:38:48 +@@ -56,16 +56,20 @@ + gss_name_t internal_name; + int i; + +- /* check parms and set to defaults */ +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; + +- if (name) +- *name = NULL; ++ if (name != NULL) ++ *name = GSS_C_NO_NAME; + +- if (mechanisms) +- *mechanisms = NULL; ++ if (mechanisms != NULL) ++ *mechanisms = GSS_C_NO_OID_SET; ++ ++ /* Validate arguments. */ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); + + if (cred_handle == GSS_C_NO_CREDENTIAL) { + /* +@@ -216,6 +220,14 @@ + OM_uint32 status, temp_minor_status; + gss_name_t internal_name; + ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (name != NULL) ++ *name = GSS_C_NO_NAME; ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); + + mech = gssint_get_mechanism (mech_type); + if (!mech) +--- src/lib/gssapi/mechglue/g_inq_names.c ++++ src/lib/gssapi/mechglue/g_inq_names.c 2006/12/05 11:11:27 +@@ -41,10 +41,19 @@ + { + OM_uint32 status; + gss_mechanism mech; ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (name_types != NULL) ++ *name_types = GSS_C_NO_OID_SET; ++ ++ /* Validate arguments. */ + + if (minor_status == NULL) + return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; + + if (name_types == NULL) + return (GSS_S_CALL_INACCESSIBLE_WRITE); +@@ -72,6 +81,33 @@ + + return (GSS_S_BAD_MECH); + } ++ ++static OM_uint32 ++val_inq_mechs4name_args( ++ OM_uint32 *minor_status, ++ const gss_name_t input_name, ++ gss_OID_set *mech_set) ++{ ++ ++ /* Initialize outputs. */ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (mech_set != NULL) ++ *mech_set = GSS_C_NO_OID_SET; ++ ++ /* Validate arguments.e ++ */ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (input_name == GSS_C_NO_NAME) ++ return (GSS_S_BAD_NAME); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_inquire_mechs_for_name(minor_status, input_name, mech_set) + +@@ -90,12 +126,9 @@ + gss_buffer_desc name_buffer; + int i; + +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- +- if (input_name == NULL) +- return (GSS_S_BAD_NAME); ++ status = val_inq_mechs4name_args(minor_status, input_name, mech_set); ++ if (status != GSS_S_COMPLETE) ++ return (status); + + status = gss_create_empty_oid_set(minor_status, mech_set); + if (status != GSS_S_COMPLETE) +--- src/lib/gssapi/mechglue/g_process_context.c ++++ src/lib/gssapi/mechglue/g_process_context.c 2006/12/05 10:48:20 +@@ -49,6 +49,9 @@ + if (context_handle == GSS_C_NO_CONTEXT) + return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); + ++ if (token_buffer == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_READ); ++ + if (GSS_EMPTY_BUFFER(token_buffer)) + return (GSS_S_CALL_INACCESSIBLE_READ); + +--- src/lib/gssapi/mechglue/g_seal.c ++++ src/lib/gssapi/mechglue/g_seal.c 2006/12/05 11:18:00 +@@ -28,6 +28,45 @@ + + #include "mglueP.h" + ++static OM_uint32 ++val_seal_args( ++ OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, ++ int conf_req_flag, ++ int qop_req, ++ gss_buffer_t input_message_buffer, ++ int *conf_state, ++ gss_buffer_t output_message_buffer) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (output_message_buffer != GSS_C_NO_BUFFER) { ++ output_message_buffer->length = 0; ++ output_message_buffer->value = NULL; ++ } ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (context_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); ++ ++ if (input_message_buffer == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_READ); ++ ++ if (output_message_buffer == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_seal (minor_status, + context_handle, +@@ -51,18 +90,12 @@ + gss_union_ctx_id_t ctx; + gss_mechanism mech; + +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- +- if (context_handle == GSS_C_NO_CONTEXT) +- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); +- +- if (input_message_buffer == NULL) +- return (GSS_S_CALL_INACCESSIBLE_READ); +- +- if (output_message_buffer == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ status = val_seal_args(minor_status, context_handle, ++ conf_req_flag, qop_req, ++ input_message_buffer, conf_state, ++ output_message_buffer); ++ if (status != GSS_S_COMPLETE) ++ return (status); + + /* + * select the approprate underlying mechanism routine and +--- src/lib/gssapi/mechglue/g_sign.c ++++ src/lib/gssapi/mechglue/g_sign.c 2006/12/05 11:46:42 +@@ -28,6 +28,43 @@ + + #include "mglueP.h" + ++static OM_uint32 ++val_sign_args( ++ OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, ++ int qop_req, ++ gss_buffer_t message_buffer, ++ gss_buffer_t msg_token) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (msg_token != GSS_C_NO_BUFFER) { ++ msg_token->value = NULL; ++ msg_token->length = 0; ++ } ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (context_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); ++ ++ if (message_buffer == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_READ); ++ ++ if (msg_token == GSS_C_NO_BUFFER) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 KRB5_CALLCONV + gss_sign (minor_status, + context_handle, +@@ -46,21 +83,11 @@ + gss_union_ctx_id_t ctx; + gss_mechanism mech; + +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; +- +- if (context_handle == GSS_C_NO_CONTEXT) +- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); +- +- if (message_buffer == NULL) +- return (GSS_S_CALL_INACCESSIBLE_READ); +- +- if (msg_token == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ status = val_sign_args(minor_status, context_handle, ++ qop_req, message_buffer, msg_token); ++ if (status != GSS_S_COMPLETE) ++ return (status); + +- msg_token->value = NULL; +- msg_token->length = 0; + /* + * select the approprate underlying mechanism routine and + * call it. +--- src/lib/gssapi/mechglue/g_store_cred.c ++++ src/lib/gssapi/mechglue/g_store_cred.c 2006/12/05 10:54:48 +@@ -11,6 +11,38 @@ + + #include + ++static OM_uint32 ++val_store_cred_args( ++ OM_uint32 *minor_status, ++ const gss_cred_id_t input_cred_handle, ++ gss_cred_usage_t cred_usage, ++ const gss_OID desired_mech, ++ OM_uint32 overwrite_cred, ++ OM_uint32 default_cred, ++ gss_OID_set *elements_stored, ++ gss_cred_usage_t *cred_usage_stored) ++{ ++ ++ /* Initialize outputs. */ ++ ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (elements_stored != NULL) ++ *elements_stored = GSS_C_NULL_OID_SET; ++ ++ /* Validate arguments. */ ++ ++ if (minor_status == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (input_cred_handle == GSS_C_NO_CREDENTIAL) ++ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CRED); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++ + OM_uint32 gss_store_cred(minor_status, + input_cred_handle, + cred_usage, +@@ -37,16 +69,19 @@ + gss_OID dmech; + int i; + +- /* Start by checking parameters */ +- if (minor_status == NULL) +- return (GSS_S_CALL_INACCESSIBLE_WRITE|GSS_S_NO_CRED); +- *minor_status = 0; +- +- if (input_cred_handle == GSS_C_NO_CREDENTIAL) +- return (GSS_S_CALL_INACCESSIBLE_READ); ++ major_status = val_store_cred_args(minor_status, ++ input_cred_handle, ++ cred_usage, ++ desired_mech, ++ overwrite_cred, ++ default_cred, ++ elements_stored, ++ cred_usage_stored); ++ if (major_status != GSS_S_COMPLETE) ++ return (major_status); + +- if (elements_stored != NULL) +- *elements_stored = GSS_C_NULL_OID_SET; ++ /* Initial value needed below. */ ++ major_status = GSS_S_FAILURE; + + if (cred_usage_stored != NULL) + *cred_usage_stored = GSS_C_BOTH; /* there's no GSS_C_NEITHER */ +--- src/lib/gssapi/mechglue/g_unseal.c ++++ src/lib/gssapi/mechglue/g_unseal.c 2006/12/05 11:26:17 +@@ -49,22 +49,27 @@ + gss_union_ctx_id_t ctx; + gss_mechanism mech; + ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (output_message_buffer != GSS_C_NO_BUFFER) { ++ output_message_buffer->length = 0; ++ output_message_buffer->value = NULL; ++ } ++ + if (minor_status == NULL) + return (GSS_S_CALL_INACCESSIBLE_WRITE); +- *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) + return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); + +- if (GSS_EMPTY_BUFFER(input_message_buffer)) ++ if (input_message_buffer == GSS_C_NO_BUFFER || ++ GSS_EMPTY_BUFFER(input_message_buffer)) + return (GSS_S_CALL_INACCESSIBLE_READ); + +- if (output_message_buffer == NULL) ++ if (output_message_buffer == GSS_C_NO_BUFFER) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + +- output_message_buffer->length = 0; +- output_message_buffer->value = NULL; +- + /* + * select the approprate underlying mechanism routine and + * call it. +--- src/lib/gssapi/mechglue/g_verify.c ++++ src/lib/gssapi/mechglue/g_verify.c 2006/12/05 11:07:29 +@@ -54,7 +54,8 @@ + if (context_handle == GSS_C_NO_CONTEXT) + return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); + +- if ((message_buffer == NULL) || GSS_EMPTY_BUFFER(token_buffer)) ++ if ((message_buffer == GSS_C_NO_BUFFER) || ++ GSS_EMPTY_BUFFER(token_buffer)) + return (GSS_S_CALL_INACCESSIBLE_READ); + + /* +--- src/lib/gssapi/mechglue/oid_ops.c ++++ src/lib/gssapi/mechglue/oid_ops.c 2006/12/05 12:45:33 +@@ -49,7 +49,7 @@ + if (minor_status) + *minor_status = 0; + +- if (*oid == GSS_C_NO_OID) ++ if (oid == NULL || *oid == GSS_C_NO_OID) + return(GSS_S_COMPLETE); + + /* +@@ -227,12 +227,18 @@ + unsigned char *cp; + char *bp; + +- *minor_status = 0; ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (oid_str != GSS_C_NO_BUFFER) { ++ oid_str->length = 0; ++ oid_str->value = NULL; ++ } + + if (oid == NULL || oid->length == 0 || oid->elements == NULL) + return (GSS_S_CALL_INACCESSIBLE_READ); + +- if (oid_str == NULL) ++ if (oid_str == GSS_C_NO_BUFFER) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + + /* Decoded according to krb5/gssapi_krb5.c */ +@@ -307,7 +313,11 @@ + int index; + unsigned char *op; + +- *minor_status = 0; ++ if (minor_status != NULL) ++ *minor_status = 0; ++ ++ if (oid != NULL) ++ *oid = GSS_C_NO_OID; + + if (GSS_EMPTY_BUFFER(oid_str)) + return (GSS_S_CALL_INACCESSIBLE_READ); +@@ -458,17 +468,18 @@ + OM_uint32 major = GSS_S_COMPLETE; + OM_uint32 index; + +- if (minor_status) ++ if (minor_status != NULL) + *minor_status = 0; + +- if (oidset == NULL) ++ if (new_oidset != NULL) ++ *new_oidset = GSS_C_NO_OID_SET; ++ ++ if (oidset == GSS_C_NO_OID_SET) + return (GSS_S_CALL_INACCESSIBLE_READ); + + if (new_oidset == NULL) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + +- *new_oidset = NULL; +- + if ((copy = (gss_OID_set_desc *) calloc(1, sizeof (*copy))) == NULL) { + major = GSS_S_FAILURE; + goto done; diff --git a/krb5-doc.spec b/krb5-doc.spec index 934e54a..7258bfc 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -13,7 +13,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html te_ams Version: 1.5.1 -Release: 35 +Release: 39 %define srcRoot krb5-1.5.1 Summary: MIT Kerberos5 Implementation--Documentation License: X11/MIT diff --git a/krb5.changes b/krb5.changes index f85adf9..12cf5c3 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,7 +1,19 @@ +------------------------------------------------------------------- +Wed Jan 10 11:16:30 CET 2007 - mc@suse.de + +- fix for + kadmind (via RPC library) calls uninitialized function pointer + (CVE-2006-6143)(Bug #225990) + krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif +- fix for + kadmind (via GSS-API mechglue) frees uninitialized pointers + (CVE-2006-6144)(Bug #225992) + krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif + ------------------------------------------------------------------- Tue Jan 2 14:53:33 CET 2007 - mc@suse.de -- Fix Requires in krb5-devel +- Fix Requires in krb5-devel [Bug #231008] ------------------------------------------------------------------- diff --git a/krb5.spec b/krb5.spec index c23d523..fd6187e 100644 --- a/krb5.spec +++ b/krb5.spec @@ -12,7 +12,7 @@ Name: krb5 Version: 1.5.1 -Release: 26 +Release: 28 BuildRequires: libcom_err %define srcRoot krb5-1.5.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ @@ -31,6 +31,8 @@ Source4: EncryptWithMasterKey.c Patch1: krb5-1.5.1-fix-too-few-arguments.dif Patch2: krb5-1.4-compile_pie.dif Patch3: krb5-1.4-fix-segfault.dif +Patch4: krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif +Patch5: krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif Patch6: trunk-EncryptWithMasterKey.dif Patch12: warning-fix-util-support.dif Patch14: warning-fix-lib-crypto-des.dif @@ -176,6 +178,8 @@ fi %patch1 %patch2 %patch3 +%patch4 +%patch5 %patch6 cd %{_builddir}/%{srcRoot}/src %patch12 @@ -480,6 +484,15 @@ rm -rf %{buildroot} %{_mandir}/man1/krb5-config.1* %changelog -n krb5 +* Wed Jan 10 2007 - mc@suse.de +- fix for + kadmind (via RPC library) calls uninitialized function pointer + (CVE-2006-6143)(Bug #225990) + krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif +- fix for + kadmind (via GSS-API mechglue) frees uninitialized pointers + (CVE-2006-6144)(Bug #225992) + krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif * Tue Jan 02 2007 - mc@suse.de - Fix Requires in krb5-devel [Bug #231008]