kdc: remove outpadata from astgs_request_t

Remove the outpadata field from astgs_request_t, because it's not something we wish to expose publically (yet it is something that Samba needs in the client_access plugin API, to add Windows error information). Instead, allocate rep->padata at the start of AS/TGS request handling, and ensure it is valid for the lifetime of the request until it is encoded (at which point it will be freed and set to NULL if zero length, to avoid sending a zero length METHOD-DATA to the client). (The previous approach of setting rep->padata to point to &r->outpadata was fragile, because it required clearing the pointer before freeing the KDC-REP.)
2021-12-24 10:25:11 +11:00
parent 64dad876a4
commit b6be850e0d
5 changed files with 35 additions and 32 deletions
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -816,12 +816,12 @@ _kdc_gss_mk_pa_reply(astgs_request_t r,

    /* only return padata in error case if we have an error token */
    if (!GSS_ERROR(gcp->major) || gcp->output_token.length) {
-        ret = krb5_padata_add(r->context, &r->outpadata, KRB5_PADATA_GSS,
+        ret = krb5_padata_add(r->context, r->rep.padata, KRB5_PADATA_GSS,
                              gcp->output_token.value, gcp->output_token.length);
        if (ret)
            return ret;

-        /* token is now owned by outpadata */
+        /* token is now owned by r->rep.padata */
        gcp->output_token.length = 0;
        gcp->output_token.value = NULL;
    }