From 007e74d45ec9c1152e58fc65aeb8024257124ec1 Mon Sep 17 00:00:00 2001
From: Jitka Plesnikova <jplesnik@redhat.com>
Date: Fri, 20 Aug 2021 09:25:35 +0200
Subject: [PATCH] Resolves: rhbz#1994263 - Fix a crash in gss_release_oid()
 when destructing out_mec

---
 ...ss_release_oid-when-destructing-out_.patch | 79 +++++++++++++++++++
 ...0.28-Fix-comparison-of-OID-structure.patch | 35 --------
 perl-GSSAPI.spec                              | 13 +--
 3 files changed, 87 insertions(+), 40 deletions(-)
 create mode 100644 GSSAPI-0.28-Fix-a-crash-in-gss_release_oid-when-destructing-out_.patch
 delete mode 100644 GSSAPI-0.28-Fix-comparison-of-OID-structure.patch

diff --git a/GSSAPI-0.28-Fix-a-crash-in-gss_release_oid-when-destructing-out_.patch b/GSSAPI-0.28-Fix-a-crash-in-gss_release_oid-when-destructing-out_.patch
new file mode 100644
index 0000000..a85b332
--- /dev/null
+++ b/GSSAPI-0.28-Fix-a-crash-in-gss_release_oid-when-destructing-out_.patch
@@ -0,0 +1,79 @@
+From 159042c71bbdd5909f792208dcdffffb1674ecfe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 19 Aug 2021 16:07:06 +0200
+Subject: [PATCH] Fix a crash in gss_release_oid() when destructing out_mech
+ returned by gss_accept_sec_context()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If Perl GSSAPI was built against MIT krb5, an example gss-server.pl
+script crashed like this:
+
+    Program terminated with signal SIGSEGV, Segmentation fault.
+    #0  0x00007f27f3d48b23 in __GI___libc_free (mem=<optimized out>)
+        at malloc.c:3131
+    3131	  ar_ptr = arena_for_chunk (p);
+    (gdb) bt
+    #0  0x00007f27f3d48b23 in __GI___libc_free (mem=<optimized out>)
+        at malloc.c:3131
+    #1  0x00007f27f2fe17c6 in generic_gss_release_oid (
+        minor_status=minor_status@entry=0x7fffc750333c,
+        oid=oid@entry=0x7fffc7503340) at oid_ops.c:102
+    #2  0x00007f27f2fee6df in gss_release_oid (
+        minor_status=minor_status@entry=0x7fffc750333c,
+        oid=oid@entry=0x7fffc7503340) at g_initialize.c:202
+    #3  0x00007f27f322f5cf in XS_GSSAPI__OID_DESTROY (my_perl=<optimized out>,
+        cv=0x564037c87130) at ./xs/OID.xs:24
+    #4  0x00007f27f4f58149 in Perl_pp_entersub (my_perl=0x5640378d42a0)
+        at pp_hot.c:4227
+
+The cause is that gss_accept_sec_context() returns a pointer to
+a static storage in out_mech argument. When GSSAPI passed out_mech to
+a desctructor, the invoked gss_release_oid() crashed when freeing the
+memory.
+
+Accoding to RFC 2744, the static storage is correct. Hence the flaw is
+on Perl GSSAPI side. This patch fixes it by copying the out_mech OID
+object on a heap which is then correctly processed by
+gss_release_oid().
+
+CPAN RT#121873.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ xs/Context.xs | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/xs/Context.xs b/xs/Context.xs
+index d176f08..4549595 100644
+--- a/xs/Context.xs
++++ b/xs/Context.xs
+@@ -80,6 +80,24 @@ accept(context, acc_cred, in_token, binding, out_name, out_mech, out_token, out_
+ 				       &in_token, binding, out_name, out_mech,
+ 				       &out_token, out_flags, out_time,
+ 				       delegated_cred);
++#if !defined(HEIMDAL)
++	if (out_mech && *out_mech) {
++		/* RFC 2744 documents that the returned *out_mech is a pointer
++		 * to static data. To prevent from freeing them when destructing
++		 * out_mech, we change *out_mech into a pointer to a heap-allocated
++		 * buffer with the same content. Otherwise, MITKRB5-provided
++		 * gss_release_oid() deallocator which cannot recognize this static
++		 * storage would crash. We use malloc() because gss_release_oid() used
++		 * free(). */
++		GSSAPI__OID copy = malloc(sizeof(*copy));
++		if (!copy) croak("Not enough memory for copying out_mech!");
++		copy->elements = malloc((*out_mech)->length);
++		if (!copy->elements) croak("Not enough memory for copying out_mech!");
++		memcpy(copy->elements, (*out_mech)->elements, (*out_mech)->length);
++		copy->length = (*out_mech)->length;
++		*out_mech = copy;
++    }
++#endif
+     OUTPUT:
+ 	RETVAL
+ 	context
+-- 
+2.31.1
+
diff --git a/GSSAPI-0.28-Fix-comparison-of-OID-structure.patch b/GSSAPI-0.28-Fix-comparison-of-OID-structure.patch
deleted file mode 100644
index f61af74..0000000
--- a/GSSAPI-0.28-Fix-comparison-of-OID-structure.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 4b213b1f0c9681f74d12f991db008f1d891d7447 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20Josef=20=C5=A0pa=C4=8Dek?= <mspacek@redhat.com>
-Date: Mon, 16 Aug 2021 15:30:50 +0200
-Subject: [PATCH] Fix comparison of OID structure
-
----
- xs/OID.xs | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/xs/OID.xs b/xs/OID.xs
-index c805e45..7c2a4ba 100644
---- a/xs/OID.xs
-+++ b/xs/OID.xs
-@@ -15,12 +15,12 @@ DESTROY(oid)
-     PPCODE:
- #if !defined(HEIMDAL)
- 	if (oid != NULL &&
--	    oid != __KRB5_MECHTYPE_OID &&
--	    oid != __KRB5_OLD_MECHTYPE_OID &&
--	    oid != __GSS_KRB5_NT_USER_NAME &&
--	    oid != __GSS_KRB5_NT_PRINCIPAL_NAME &&
--	    oid != __SPNEGO_MECHTYPE_OID &&
--	    oid != __gss_mech_krb5_v2  ) {
-+	    ! gss_oid_equal(oid, __KRB5_MECHTYPE_OID) &&
-+	    ! gss_oid_equal(oid, __KRB5_OLD_MECHTYPE_OID) &&
-+	    ! gss_oid_equal(oid, __GSS_KRB5_NT_USER_NAME) &&
-+	    ! gss_oid_equal(oid, __GSS_KRB5_NT_PRINCIPAL_NAME) &&
-+	    ! gss_oid_equal(oid, __SPNEGO_MECHTYPE_OID) &&
-+	    ! gss_oid_equal(oid, __gss_mech_krb5_v2) ) {
- 	    (void)gss_release_oid(&minor, &oid);
- 	}
- #endif
--- 
-2.31.1
-
diff --git a/perl-GSSAPI.spec b/perl-GSSAPI.spec
index d9bd043..85ddb02 100644
--- a/perl-GSSAPI.spec
+++ b/perl-GSSAPI.spec
@@ -6,14 +6,14 @@
 
 Name:           perl-GSSAPI
 Version:        0.28
-Release:        36%{?dist}
+Release:        37%{?dist}
 Summary:        Perl extension providing access to the GSSAPIv2 library
 License:        GPL+ or Artistic
 URL:            https://metacpan.org/release/GSSAPI
 Source0:        https://cpan.metacpan.org/authors/id/A/AG/AGROLMS/GSSAPI-%{version}.tar.gz
-# Fix comparison of OID structure (rhbz #1994263)
-Patch0:         GSSAPI-0.28-Fix-comparison-of-OID-structure.patch
-BuildRequires: make
+# Fix a crash in gss_release_oid() when destructing out_mech (rhbz #1994263, CPAN RT#121873)
+Patch0:         GSSAPI-0.28-Fix-a-crash-in-gss_release_oid-when-destructing-out_.patch
+BuildRequires:  make
 BuildRequires:  findutils
 BuildRequires:  gcc
 BuildRequires:  krb5-devel
@@ -62,7 +62,10 @@ find %{buildroot} -type f -name '*.bs' -empty -delete
 %{_mandir}/man3/*
 
 %changelog
-* Mon Aug 16 2021 Jitka Plesnikova <jplesnik@redhat.com> - 0.28-24
+* Thu Aug 19 2021 Jitka Plesnikova <jplesnik@redhat.com> - 0.28-37
+- Resolves: rhbz#1994263 - Fix a crash in gss_release_oid() when destructing out_mech
+
+* Mon Aug 16 2021 Jitka Plesnikova <jplesnik@redhat.com> - 0.28-36
 - Resolves: rhbz#1994263 - Fix comparison of OID structure
 
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.28-35