The branch, master has been updated via d2ccaaa gensec: explain gensec_use_kerberos_mechs() logic via 93f3fc5 gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechs via 901e3b7 Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs" from 919440f selftest: mark posix_s3.rpc.spoolss.printer as flakey test
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit d2ccaaad20a22a5a09f883809945827dabbc65a7 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Feb 10 20:54:18 2012 +1100 gensec: explain gensec_use_kerberos_mechs() logic Autobuild-User: Andrew Bartlett <abart...@samba.org> Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104 commit 93f3fc54e462958c3bc88ebf586be99fb703347b Author: Andrew Bartlett <abart...@samba.org> Date: Fri Feb 10 08:13:40 2012 +1100 gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechs This should be the correct fix for the valgrind erorr Volker found in 744ed53a62037a659133ccd4de2065491208ae7d. This fix avoids putting SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS case. Andrew Bartlett commit 901e3b7246de9bdc07e2b3d88f55917bf2a37377 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Feb 10 08:07:21 2012 +1100 Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs" This reverts commit 744ed53a62037a659133ccd4de2065491208ae7d. The real bug here is that the second half of the outer loop should not have been run once we found spnego. Andrew Bartlett ----------------------------------------------------------------------- Summary of changes: auth/gensec/gensec_start.c | 26 ++++++++++++++++++++++---- 1 files changed, 22 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index ab092a7..d3145ec 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -50,7 +50,22 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_ /* Sometimes we want to force only kerberos, sometimes we want to * force it's avoidance. The old list could be either * gensec_security_all(), or from cli_credentials_gensec_list() (ie, - * an existing list we have trimmed down) */ + * an existing list we have trimmed down) + * + * The intended logic is: + * + * if we are in the default AUTO have kerberos: + * - take a reference to the master list + * otherwise + * - always add spnego then: + * - if we 'MUST' have kerberos: + * only add kerberos mechs + * - if we 'DONT' want kerberos': + * only add non-kerberos mechs + * + * Once we get things like NegoEx or moonshot, this will of course get + * more compplex. + */ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, struct gensec_security_ops **old_gensec_list, @@ -75,8 +90,7 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ /* noop */ } - new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, - num_mechs_in*2 + 1); + new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1); if (!new_gensec_list) { return NULL; } @@ -84,14 +98,18 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ j = 0; for (i=0; old_gensec_list && old_gensec_list[i]; i++) { int oid_idx; - + bool found_spnego = false; for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) { if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) { new_gensec_list[j] = old_gensec_list[i]; j++; + found_spnego = true; break; } } + if (found_spnego) { + continue; + } switch (use_kerberos) { case CRED_DONT_USE_KERBEROS: if (old_gensec_list[i]->kerberos == false) { -- Samba Shared Repository