Address some optimized-out memset() calls
This commit is contained in:
Robbie Harwood
parent
7338b669da
commit
645562ea2f
94
Address-some-optimized-out-memset-calls.patch
Normal file
94
Address-some-optimized-out-memset-calls.patch
Normal file
@ -0,0 +1,94 @@
|
||||
From 0d83197140d2040d47ca79f006126e503680f661 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sun, 30 Dec 2018 16:40:28 -0500
|
||||
Subject: [PATCH] Address some optimized-out memset() calls
|
||||
|
||||
Ilja Van Sprundel reported a list of memset() calls which gcc
|
||||
optimizes out. In krb_auth_su.c, use zap() to clear the password, and
|
||||
remove two memset() calls when there is no password to clear. In
|
||||
iakerb.c, remove an unnecessary memset() before setting the only two
|
||||
fields of the IAKERB header structure. In svr_principal.c, use
|
||||
krb5_free_key_keyblock_contents() instead of hand-freeing key data.
|
||||
In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack
|
||||
shell before returning.
|
||||
|
||||
(cherry picked from commit 1057b0befec1f1c0e9d4da5521a58496e2dc0997)
|
||||
---
|
||||
src/clients/ksu/krb_auth_su.c | 4 +---
|
||||
src/lib/gssapi/krb5/iakerb.c | 1 -
|
||||
src/lib/kadm5/srv/svr_principal.c | 10 ++--------
|
||||
src/lib/krb5/asn.1/asn1_k_encode.c | 1 -
|
||||
4 files changed, 3 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
|
||||
index 7af48195c..e39685fff 100644
|
||||
--- a/src/clients/ksu/krb_auth_su.c
|
||||
+++ b/src/clients/ksu/krb_auth_su.c
|
||||
@@ -183,21 +183,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
|
||||
if (code ) {
|
||||
com_err(prog_name, code, _("while reading password for '%s'\n"),
|
||||
client_name);
|
||||
- memset(password, 0, sizeof(password));
|
||||
return (FALSE);
|
||||
}
|
||||
|
||||
if ( pwsize == 0) {
|
||||
fprintf(stderr, _("No password given\n"));
|
||||
*zero_password = TRUE;
|
||||
- memset(password, 0, sizeof(password));
|
||||
return (FALSE);
|
||||
}
|
||||
|
||||
code = krb5_get_init_creds_password(context, &creds, client, password,
|
||||
krb5_prompter_posix, NULL, 0, NULL,
|
||||
options);
|
||||
- memset(password, 0, sizeof(password));
|
||||
+ zap(password, sizeof(password));
|
||||
|
||||
|
||||
if (code) {
|
||||
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
|
||||
index bb1072fe4..47c161ec9 100644
|
||||
--- a/src/lib/gssapi/krb5/iakerb.c
|
||||
+++ b/src/lib/gssapi/krb5/iakerb.c
|
||||
@@ -262,7 +262,6 @@ iakerb_make_token(iakerb_ctx_id_t ctx,
|
||||
/*
|
||||
* Assemble the IAKERB-HEADER from the realm and cookie
|
||||
*/
|
||||
- memset(&iah, 0, sizeof(iah));
|
||||
iah.target_realm = *realm;
|
||||
iah.cookie = cookie;
|
||||
|
||||
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
|
||||
index 21c53ece1..9ab2c5a74 100644
|
||||
--- a/src/lib/kadm5/srv/svr_principal.c
|
||||
+++ b/src/lib/kadm5/srv/svr_principal.c
|
||||
@@ -2093,14 +2093,8 @@ static int decrypt_key_data(krb5_context context,
|
||||
ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],
|
||||
NULL);
|
||||
if (ret) {
|
||||
- for (; i >= 0; i--) {
|
||||
- if (keys[i].contents) {
|
||||
- memset (keys[i].contents, 0, keys[i].length);
|
||||
- free( keys[i].contents );
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
|
||||
+ for (; i >= 0; i--)
|
||||
+ krb5_free_keyblock_contents(context, &keys[i]);
|
||||
free(keys);
|
||||
return ret;
|
||||
}
|
||||
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
|
||||
index 65c84be2f..81a34bac9 100644
|
||||
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
|
||||
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
|
||||
@@ -528,7 +528,6 @@ decode_kdc_req_body(const taginfo *t, const uint8_t *asn1, size_t len,
|
||||
if (ret) {
|
||||
free_kdc_req_body(b);
|
||||
free(h.server_realm.data);
|
||||
- memset(&h, 0, sizeof(h));
|
||||
return ret;
|
||||
}
|
||||
b->server->realm = h.server_realm;
|
||||
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.17
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 1.beta2.4%{?dist}
|
||||
Release: 1.beta2.5%{?dist}
|
||||
|
||||
# lookaside-cached sources; two downloads and a build artifact
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
|
||||
@ -64,6 +64,7 @@ Patch88: Become-FIPS-aware.patch
|
||||
Patch89: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch
|
||||
Patch90: Add-tests-for-KCM-ccache-type.patch
|
||||
Patch91: Remove-incorrect-KDC-assertion.patch
|
||||
Patch92: Address-some-optimized-out-memset-calls.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -711,6 +712,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Fri Jan 04 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.5
|
||||
- Address some optimized-out memset() calls
|
||||
|
||||
* Thu Dec 20 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.4
|
||||
- Remove incorrect KDC assertion
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user