From 8cdb8619f52f1d72dea47bd6952dc75f976f7c77 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 23 May 2024 13:25:31 +0300 Subject: [PATCH] import krb5-1.18.2-27.el8_10 --- ...uest_timeout-configuration-parameter.patch | 226 ++++++++++++++++++ ...onnection-on-KDC_ERR_SVC_UNAVAILABLE.patch | 34 +++ SOURCES/Fix-two-unlikely-memory-leaks.patch | 205 ++++++++++++++++ ...-indefinitely-on-KDC-TCP-connections.patch | 138 +++++++++++ SPECS/krb5.spec | 14 +- 5 files changed, 616 insertions(+), 1 deletion(-) create mode 100644 SOURCES/Add-request_timeout-configuration-parameter.patch create mode 100644 SOURCES/End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch create mode 100644 SOURCES/Fix-two-unlikely-memory-leaks.patch create mode 100644 SOURCES/Wait-indefinitely-on-KDC-TCP-connections.patch diff --git a/SOURCES/Add-request_timeout-configuration-parameter.patch b/SOURCES/Add-request_timeout-configuration-parameter.patch new file mode 100644 index 0000000..dc0295a --- /dev/null +++ b/SOURCES/Add-request_timeout-configuration-parameter.patch @@ -0,0 +1,226 @@ +From 433dd85aaf8d9ed0e923c873f107995232b94422 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 26 Oct 2023 14:20:34 -0400 +Subject: [PATCH] Add request_timeout configuration parameter + +Add a parameter to limit the total amount of time taken for a KDC or +password change request. + +ticket: 9106 (new) +(cherry picked from commit 802318cda963456b3ed7856c836e89da891483be) +--- + doc/admin/conf_files/krb5_conf.rst | 9 ++++++ + src/include/k5-int.h | 2 ++ + src/lib/krb5/krb/init_ctx.c | 14 +++++++- + src/lib/krb5/os/sendto_kdc.c | 51 ++++++++++++++++++++---------- + 4 files changed, 58 insertions(+), 18 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index 315253e378..557094f6a2 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -357,6 +357,15 @@ The libdefaults section may contain any of the following relations: + (:ref:`duration` string.) Sets the default renewable lifetime + for initial ticket requests. The default value is 0. + ++**request_timeout** ++ (:ref:`duration` string.) Sets the maximum total time for KDC or ++ password change requests. This timeout does not affect the ++ intervals between requests, so setting a low timeout may result in ++ fewer requests being attempted and/or some servers not being ++ contacted. A value of 0 indicates no specific maximum, in which ++ case requests will time out if no server responds after several ++ tries. The default value is 0. (New in release 1.22.) ++ + **spake_preauth_groups** + A whitespace or comma-separated list of words which specifies the + groups allowed for SPAKE preauthentication. The possible values +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 912aaedac4..9d5e41ca2c 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -293,6 +293,7 @@ typedef unsigned char u_char; + #define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator" + #define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge" + #define KRB5_CONF_SPAKE_PREAUTH_GROUPS "spake_preauth_groups" ++#define KRB5_CONF_REQUEST_TIMEOUT "request_timeout" + #define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime" + #define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit" + #define KRB5_CONF_UNLOCKITER "unlockiter" +@@ -1218,6 +1219,7 @@ struct _krb5_context { + kdb5_dal_handle *dal_handle; + /* allowable clock skew */ + krb5_deltat clockskew; ++ krb5_deltat req_timeout; + krb5_flags kdc_default_options; + krb5_flags library_options; + krb5_boolean profile_secure; +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index 9a4741fa64..1a6e0bf672 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -163,7 +163,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + } seed_data; + krb5_data seed; + int tmp; +- char *plugin_dir = NULL; ++ char *plugin_dir = NULL, *timeout_str = NULL; + + /* Verify some assumptions. If the assumptions hold and the + compiler is optimizing, this should result in no code being +@@ -257,6 +257,17 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp); + ctx->clockskew = tmp; + ++ retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS, ++ KRB5_CONF_REQUEST_TIMEOUT, NULL, NULL, ++ &timeout_str); ++ if (retval) ++ goto cleanup; ++ if (timeout_str != NULL) { ++ retval = krb5_string_to_deltat(timeout_str, &ctx->req_timeout); ++ if (retval) ++ goto cleanup; ++ } ++ + get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK, + &tmp); + ctx->kdc_default_options = tmp; +@@ -298,6 +309,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + + cleanup: + profile_release_string(plugin_dir); ++ profile_release_string(timeout_str); + krb5_free_context(ctx); + return retval; + } +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index 8e4fcd2a38..f57117126e 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -1390,34 +1390,41 @@ get_endtime(time_ms endtime, struct conn_state *conns) + + static krb5_boolean + service_fds(krb5_context context, struct select_state *selstate, +- time_ms interval, struct conn_state *conns, ++ time_ms interval, time_ms timeout, struct conn_state *conns, + struct select_state *seltemp, const krb5_data *realm, + int (*msg_handler)(krb5_context, const krb5_data *, void *), + void *msg_handler_data, struct conn_state **winner_out) + { + int e, selret = 0; +- time_ms endtime; ++ time_ms curtime, interval_end, endtime; + struct conn_state *state; + + *winner_out = NULL; + +- e = get_curtime_ms(&endtime); ++ e = get_curtime_ms(&curtime); + if (e) + return TRUE; +- endtime += interval; ++ interval_end = curtime + interval; + + e = 0; + while (selstate->nfds > 0) { +- e = cm_select_or_poll(selstate, get_endtime(endtime, conns), +- seltemp, &selret); ++ endtime = get_endtime(interval_end, conns); ++ /* Don't wait longer than the whole request should last. */ ++ if (timeout && endtime > timeout) ++ endtime = timeout; ++ e = cm_select_or_poll(selstate, endtime, seltemp, &selret); + if (e == EINTR) + continue; + if (e != 0) + break; + +- if (selret == 0) +- /* Timeout, return to caller. */ ++ if (selret == 0) { ++ /* We timed out. Stop if we hit the overall request timeout. */ ++ if (timeout && (get_curtime_ms(&curtime) || curtime >= timeout)) ++ return TRUE; ++ /* Otherwise return to the caller to send the next request. */ + return FALSE; ++ } + + /* Got something on a socket, process it. */ + for (state = conns; state != NULL; state = state->next) { +@@ -1490,7 +1497,7 @@ k5_sendto(krb5_context context, const krb5_data *message, + void *msg_handler_data) + { + int pass; +- time_ms delay; ++ time_ms delay, timeout = 0; + krb5_error_code retval; + struct conn_state *conns = NULL, *state, **tailptr, *next, *winner; + size_t s; +@@ -1500,6 +1507,13 @@ k5_sendto(krb5_context context, const krb5_data *message, + + *reply = empty_data(); + ++ if (context->req_timeout) { ++ retval = get_curtime_ms(&timeout); ++ if (retval) ++ return retval; ++ timeout += 1000 * context->req_timeout; ++ } ++ + /* One for use here, listing all our fds in use, and one for + * temporary use in service_fds, for the fds of interest. */ + sel_state = malloc(2 * sizeof(*sel_state)); +@@ -1527,8 +1541,9 @@ k5_sendto(krb5_context context, const krb5_data *message, + if (maybe_send(context, state, message, sel_state, realm, + callback_info)) + continue; +- done = service_fds(context, sel_state, 1000, conns, seltemp, +- realm, msg_handler, msg_handler_data, &winner); ++ done = service_fds(context, sel_state, 1000, timeout, conns, ++ seltemp, realm, msg_handler, msg_handler_data, ++ &winner); + } + } + +@@ -1540,13 +1555,13 @@ k5_sendto(krb5_context context, const krb5_data *message, + if (maybe_send(context, state, message, sel_state, realm, + callback_info)) + continue; +- done = service_fds(context, sel_state, 1000, conns, seltemp, ++ done = service_fds(context, sel_state, 1000, timeout, conns, seltemp, + realm, msg_handler, msg_handler_data, &winner); + } + + /* Wait for two seconds at the end of the first pass. */ + if (!done) { +- done = service_fds(context, sel_state, 2000, conns, seltemp, ++ done = service_fds(context, sel_state, 2000, timeout, conns, seltemp, + realm, msg_handler, msg_handler_data, &winner); + } + +@@ -1557,15 +1572,17 @@ k5_sendto(krb5_context context, const krb5_data *message, + if (maybe_send(context, state, message, sel_state, realm, + callback_info)) + continue; +- done = service_fds(context, sel_state, 1000, conns, seltemp, +- realm, msg_handler, msg_handler_data, &winner); ++ done = service_fds(context, sel_state, 1000, timeout, conns, ++ seltemp, realm, msg_handler, msg_handler_data, ++ &winner); + if (sel_state->nfds == 0) + break; + } + /* Wait for the delay backoff at the end of this pass. */ + if (!done) { +- done = service_fds(context, sel_state, delay, conns, seltemp, +- realm, msg_handler, msg_handler_data, &winner); ++ done = service_fds(context, sel_state, delay, timeout, conns, ++ seltemp, realm, msg_handler, msg_handler_data, ++ &winner); + } + if (sel_state->nfds == 0) + break; +-- +2.44.0 + diff --git a/SOURCES/End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch b/SOURCES/End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch new file mode 100644 index 0000000..a0f0d25 --- /dev/null +++ b/SOURCES/End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch @@ -0,0 +1,34 @@ +From a68fba22588cc21dcd1dc28550529187dca58331 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 27 Oct 2023 00:44:53 -0400 +Subject: [PATCH] End connection on KDC_ERR_SVC_UNAVAILABLE + +In sendto_kdc.c:service_fds(), if a message handler indicates that a +message should be discarded, kill the connection so we don't continue +waiting on it for more data. + +ticket: 7899 +(cherry picked from commit ca80f64c786341d5871ae1de18142e62af64f7b9) +--- + src/lib/krb5/os/sendto_kdc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index d76e24ccf0..8e4fcd2a38 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -1435,7 +1435,10 @@ service_fds(krb5_context context, struct select_state *selstate, + if (msg_handler != NULL) { + krb5_data reply = make_data(state->in.buf, state->in.pos); + +- stop = (msg_handler(context, &reply, msg_handler_data) != 0); ++ if (!msg_handler(context, &reply, msg_handler_data)) { ++ kill_conn(context, state, selstate); ++ stop = 0; ++ } + } + + if (stop) { +-- +2.44.0 + diff --git a/SOURCES/Fix-two-unlikely-memory-leaks.patch b/SOURCES/Fix-two-unlikely-memory-leaks.patch new file mode 100644 index 0000000..86bd5a9 --- /dev/null +++ b/SOURCES/Fix-two-unlikely-memory-leaks.patch @@ -0,0 +1,205 @@ +From efb3acd20cbe6330439635a9f297b9dae8a0a5d3 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 5 Mar 2024 19:53:07 -0500 +Subject: [PATCH] Fix two unlikely memory leaks + +In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which +could probably never be triggered) leaks plain.data. Fix this leak +and use current practices for cleanup throughout the function. + +In xmt_rmtcallres() (unused within the tree and likely elsewhere), +store port_ptr into crp->port_ptr as soon as it is allocated; +otherwise it could leak if the subsequent xdr_u_int32() operation +fails. + +(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d) +--- + src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++------------------- + src/lib/rpc/pmap_rmt.c | 9 +++--- + 2 files changed, 29 insertions(+), 36 deletions(-) + +diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c +index 3b4f8cb837..e881eee835 100644 +--- a/src/lib/gssapi/krb5/k5sealv3.c ++++ b/src/lib/gssapi/krb5/k5sealv3.c +@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + int conf_req_flag, int toktype) + { + size_t bufsize = 16; +- unsigned char *outbuf = 0; ++ unsigned char *outbuf = NULL; + krb5_error_code err; + int key_usage; + unsigned char acceptor_flag; +@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + #endif + size_t ec; + unsigned short tok_id; +- krb5_checksum sum; ++ krb5_checksum sum = { 0 }; + krb5_key key; + krb5_cksumtype cksumtype; ++ krb5_data plain = empty_data(); ++ ++ token->value = NULL; ++ token->length = 0; + + acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; + key_usage = (toktype == KG_TOK_WRAP_MSG +@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + #endif + + if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) { +- krb5_data plain; + krb5_enc_data cipher; + size_t ec_max; + size_t encrypt_size; + + /* 300: Adds some slop. */ +- if (SIZE_MAX - 300 < message->length) +- return ENOMEM; ++ if (SIZE_MAX - 300 < message->length) { ++ err = ENOMEM; ++ goto cleanup; ++ } + ec_max = SIZE_MAX - message->length - 300; + if (ec_max > 0xffff) + ec_max = 0xffff; +@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + #endif + err = alloc_data(&plain, message->length + 16 + ec); + if (err) +- return err; ++ goto cleanup; + + /* Get size of ciphertext. */ + encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype); + if (encrypt_size > SIZE_MAX / 2) { + err = ENOMEM; +- goto error; ++ goto cleanup; + } + bufsize = 16 + encrypt_size; + /* Allocate space for header plus encrypted data. */ + outbuf = gssalloc_malloc(bufsize); + if (outbuf == NULL) { +- free(plain.data); +- return ENOMEM; ++ err = ENOMEM; ++ goto cleanup; + } + + /* TOK_ID */ +@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + cipher.ciphertext.length = bufsize - 16; + cipher.enctype = key->keyblock.enctype; + err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher); +- zap(plain.data, plain.length); +- free(plain.data); +- plain.data = 0; + if (err) +- goto error; ++ goto cleanup; + + /* Now that we know we're returning a valid token.... */ + ctx->seq_send++; +@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + /* If the rotate fails, don't worry about it. */ + #endif + } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) { +- krb5_data plain; + size_t cksumsize; + + /* Here, message is the application-supplied data; message2 is +@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + wrap_with_checksum: + err = alloc_data(&plain, message->length + 16); + if (err) +- return err; ++ goto cleanup; + + err = krb5_c_checksum_length(context, cksumtype, &cksumsize); + if (err) +- goto error; ++ goto cleanup; + + assert(cksumsize <= 0xffff); + + bufsize = 16 + message2->length + cksumsize; + outbuf = gssalloc_malloc(bufsize); + if (outbuf == NULL) { +- free(plain.data); +- plain.data = 0; + err = ENOMEM; +- goto error; ++ goto cleanup; + } + + /* TOK_ID */ +@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + if (message2->length) + memcpy(outbuf + 16, message2->value, message2->length); + +- sum.contents = outbuf + 16 + message2->length; +- sum.length = cksumsize; +- + err = krb5_k_make_checksum(context, cksumtype, key, + key_usage, &plain, &sum); +- zap(plain.data, plain.length); +- free(plain.data); +- plain.data = 0; + if (err) { + zap(outbuf,bufsize); +- goto error; ++ goto cleanup; + } + if (sum.length != cksumsize) + abort(); + memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize); +- krb5_free_checksum_contents(context, &sum); +- sum.contents = 0; + /* Now that we know we're actually generating the token... */ + ctx->seq_send++; + +@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + + token->value = outbuf; + token->length = bufsize; +- return 0; ++ outbuf = NULL; ++ err = 0; + +-error: ++cleanup: ++ krb5_free_checksum_contents(context, &sum); ++ zapfree(plain.data, plain.length); + gssalloc_free(outbuf); +- token->value = NULL; +- token->length = 0; + return err; + } + +diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c +index 8c7e30c21a..0748af34a7 100644 +--- a/src/lib/rpc/pmap_rmt.c ++++ b/src/lib/rpc/pmap_rmt.c +@@ -160,11 +160,12 @@ xdr_rmtcallres( + caddr_t port_ptr; + + port_ptr = (caddr_t)(void *)crp->port_ptr; +- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t), +- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) { +- crp->port_ptr = (uint32_t *)(void *)port_ptr; ++ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t), ++ (xdrproc_t)xdr_u_int32)) ++ return (FALSE); ++ crp->port_ptr = (uint32_t *)(void *)port_ptr; ++ if (xdr_u_int32(xdrs, &crp->resultslen)) + return ((*(crp->xdr_results))(xdrs, crp->results_ptr)); +- } + return (FALSE); + } + +-- +2.44.0 + diff --git a/SOURCES/Wait-indefinitely-on-KDC-TCP-connections.patch b/SOURCES/Wait-indefinitely-on-KDC-TCP-connections.patch new file mode 100644 index 0000000..3011695 --- /dev/null +++ b/SOURCES/Wait-indefinitely-on-KDC-TCP-connections.patch @@ -0,0 +1,138 @@ +From 2e871df888d526a15e9e91807480c15ca4e40618 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 26 Oct 2023 16:26:42 -0400 +Subject: [PATCH] Wait indefinitely on KDC TCP connections + +When making a KDC or password change request, wait indefinitely +(limited only by request_timeout if set) once a KDC has accepted a TCP +connection. + +ticket: 9105 (new) +(cherry picked from commit 6436a3808061da787a43c6810f5f0370cdfb6e36) +--- + doc/admin/conf_files/krb5_conf.rst | 2 +- + src/lib/krb5/os/sendto_kdc.c | 50 ++++++++++++++++-------------- + 2 files changed, 27 insertions(+), 25 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index 557094f6a2..98fe231813 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -358,7 +358,7 @@ The libdefaults section may contain any of the following relations: + for initial ticket requests. The default value is 0. + + **request_timeout** +- (:ref:`duration` string.) Sets the maximum total time for KDC or ++ (:ref:`duration` string.) Sets the maximum total time for KDC and + password change requests. This timeout does not affect the + intervals between requests, so setting a low timeout may result in + fewer requests being attempted and/or some servers not being +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index f57117126e..19b78aba24 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -134,7 +134,6 @@ struct conn_state { + krb5_data callback_buffer; + size_t server_index; + struct conn_state *next; +- time_ms endtime; + krb5_boolean defer; + struct { + const char *uri_path; +@@ -344,15 +343,19 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime, + struct select_state *out, int *sret) + { + #ifndef USE_POLL +- struct timeval tv; ++ struct timeval tv, *tvp; + #endif + krb5_error_code retval; + time_ms curtime, interval; + +- retval = get_curtime_ms(&curtime); +- if (retval != 0) +- return retval; +- interval = (curtime < endtime) ? endtime - curtime : 0; ++ if (endtime != 0) { ++ retval = get_curtime_ms(&curtime); ++ if (retval != 0) ++ return retval; ++ interval = (curtime < endtime) ? endtime - curtime : 0; ++ } else { ++ interval = -1; ++ } + + /* We don't need a separate copy of the selstate for poll, but use one for + * consistency with how we use select. */ +@@ -361,9 +364,14 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime, + #ifdef USE_POLL + *sret = poll(out->fds, out->nfds, interval); + #else +- tv.tv_sec = interval / 1000; +- tv.tv_usec = interval % 1000 * 1000; +- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, &tv); ++ if (interval != -1) { ++ tv.tv_sec = interval / 1000; ++ tv.tv_usec = interval % 1000 * 1000; ++ tvp = &tv; ++ } else { ++ tvp = NULL; ++ } ++ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, tvp); + #endif + + return (*sret < 0) ? SOCKET_ERRNO : 0; +@@ -1094,11 +1102,6 @@ service_tcp_connect(krb5_context context, const krb5_data *realm, + } + + conn->state = WRITING; +- +- /* Record this connection's timeout for service_fds. */ +- if (get_curtime_ms(&conn->endtime) == 0) +- conn->endtime += 10000; +- + return conn->service_write(context, realm, conn, selstate); + } + +@@ -1373,19 +1376,18 @@ kill_conn: + return FALSE; + } + +-/* Return the maximum of endtime and the endtime fields of all currently active +- * TCP connections. */ +-static time_ms +-get_endtime(time_ms endtime, struct conn_state *conns) ++/* Return true if conns contains any states with connected TCP sockets. */ ++static krb5_boolean ++any_tcp_connections(struct conn_state *conns) + { + struct conn_state *state; + + for (state = conns; state != NULL; state = state->next) { +- if ((state->state == READING || state->state == WRITING) && +- state->endtime > endtime) +- endtime = state->endtime; ++ if (state->addr.transport != UDP && ++ (state->state == READING || state->state == WRITING)) ++ return TRUE; + } +- return endtime; ++ return FALSE; + } + + static krb5_boolean +@@ -1408,9 +1410,9 @@ service_fds(krb5_context context, struct select_state *selstate, + + e = 0; + while (selstate->nfds > 0) { +- endtime = get_endtime(interval_end, conns); ++ endtime = any_tcp_connections(conns) ? 0 : interval_end; + /* Don't wait longer than the whole request should last. */ +- if (timeout && endtime > timeout) ++ if (timeout && (!endtime || endtime > timeout)) + endtime = timeout; + e = cm_select_or_poll(selstate, endtime, seltemp, &selret); + if (e == EINTR) +-- +2.44.0 + diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index df62543..6b44f1f 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 26%{?dist} +Release: 27%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -100,6 +100,10 @@ Patch154: Factor-out-PAC-checksum-verification.patch Patch155: Add-PAC-full-checksums.patch Patch156: downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch Patch157: downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch +Patch158: End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch +Patch159: Add-request_timeout-configuration-parameter.patch +Patch160: Wait-indefinitely-on-KDC-TCP-connections.patch +Patch161: Fix-two-unlikely-memory-leaks.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -710,6 +714,14 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu Mar 21 2024 Julien Rische - 1.18.2-27 +- Fix memory leak in GSSAPI interface + Resolves: RHEL-27250 +- Fix memory leak in PMAP RPC interface + Resolves: RHEL-27244 +- Make TCP waiting time configurable + Resolves: RHEL-17131 + * Wed Sep 27 2023 Julien Rische - 1.18.2-26 - Allow to make AD-SIGNEDPATH optional Resolves: RHEL-10514