On Jul 20, 2011, at 1:07 AM, Greg Hudson wrote: On Tue, 2011-07-19 at 16:21 -0400, Benjamin Coddington wrote: >> gss_acquire_cred >> gss_accept_sec_context >> gss_export_lucid_sec_context >> gss_delete_sec_context > >> I found that before we got to gss_delete_sec_context(), we had already >> tried to clean up the context in gss_krb5_export_lucid_sec_context() >> -> krb5_gss_delete_sec_context(), which fails with G_VALIDATE_FAILED. >> It also sets the context to GSS_C_NO_CONTEXT, so once we get to >> gss_delete_sec_context(), context validation fails there too. > > Aha. Yes, that's the bug you found a reference to. (And thank you for > explaining why that bug wasn't resulting in gssd crashes for everyone in > previous releases. I had forgotten about the pointer validation code.) > I've attached the patch which is due for krb5 1.9.2. > > gss_delete_sec_context should be unnecessary when > gss_export_lucid_sec_context succeeds. Of course, it's harmless given > the way GSS handles contexts (nulling out the pointer when they are > released). > > <patch.txt>
Thank you, Greg. I can confirm that this fixes the problem we were seeing. It also fixes a leak when running without '-n', which was less obvious because we didn't open a new handle to the rcache each time. Ben ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
