Skip to content

krb5: fix output_token allocators in the GSS debug stub (Windows) #19064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vszakats wants to merge 7 commits into from
Closed

krb5: fix output_token allocators in the GSS debug stub (Windows) #19064

vszakats wants to merge 7 commits into from

Conversation

@vszakats
Copy link
Member

@vszakats vszakats commented Oct 14, 2025
edited
Loading

Before this patch system malloc()/free() were used to allocate
the buffer returned in the output_token object from the debug stub
of gss_init_sec_context() when enabled via CURL_STUB_GSS_CREDS in
debug-enabled libcurl builds. This object is later released via stock
gss_release_buffer(), which, in the Windows builds of MIT Kerberos,
doesn't use the system free(), but the Win32 HeapFree().

Fix it by using the GSS alloc/free macros: gssalloc_malloc() and
gssalloc_free() from gssapi_alloc.h.

To make this work without MIT Kerberos feature detection, use a canary
macro to detect a version which installs gssapi_alloc.h for Windows.
For <1.15 (2016-11-30) releases, that do not install it, disable the GSS
debug stub in libcurl.

Strictly speaking, non-Windows builds would also need to use GSS
allocators, but, detecting support for gssapi_alloc.h is impossible
without build-level logic. Built-level logic is complex and overkill,
and MIT Kerberos, as of 1.22.1, uses standard malloc/free on
non-Windows platforms anyway. (except in GSS debug builds.)

Follow-up to 7384083 #17752

  • detect the necessary MIT Kerberos version and disable the DEBUGBUILD
    stub feature with <1.18.

I haven't actually tested this with a Windows build, which is also missing
from CI at the moment.

@vszakats vszakats marked this pull request as draft October 14, 2025 15:49
@vszakats
add missing header. it will be a rabbit hole
2fd7fc2
@vszakats
requires 1.10 (2012-01-27)
f7c2f91
@vszakats
fix to avoid system symbol overrides
a7e6800 
Got hit by curl symbol override: Turns out gssapi_alloc.h defines
the GSS allocators as inline functions. When I included it after
memdebug.h/curl_memory.h, it started using the curl allocators,
and crashed.
@vszakats
Copy link
Member Author

vszakats commented Oct 14, 2025

Confusing results for what I thought was a fix: with the fix, it crashed.

Turns out gssapi_alloc.h doesn't contain declarations for gssapi_alloc()
and co, but the actual implementation as inline functions. By including it
after curl_memory.h and memdebug.h, the curl allocator override got
applied to the GSS implementation, causing the crash.

FWIW, the GSS inline implementation looks super risky because it depends
on an DEBUG_GSSALLOC macro. If this macro is set differently at use-time
than at library build-time, allocations will crash.

@vszakats
Copy link
Member Author

vszakats commented Oct 14, 2025
edited
Loading

Next snag: Though gssapi_alloc.h was present in the repo first in v1.10,
it's missing from the installed dev package in v1.15, as seen in the old
linux CI job.

edit: answer: krb5/krb5@b4ef5a4
v1.10 (2012-01-27) only installed this header for Windows. v1.18 (2020-02-12)
started installing it for all platforms. Bummer.

@vszakats vszakats added tests Windows Windows-specific labels Oct 15, 2025
@vszakats vszakats marked this pull request as ready for review October 15, 2025 01:13
@vszakats vszakats changed the title gss: fix alloc/free in the debug stub on Windows with MIT Kerberos gss: fix malloc/free in the debug stub on Windows with MIT Kerberos Oct 15, 2025
@vszakats vszakats changed the title gss: fix malloc/free in the debug stub on Windows with MIT Kerberos gss: fix malloc/free in the debug stub with MIT Kerberos Windows Oct 15, 2025
@vszakats vszakats changed the title gss: fix malloc/free in the debug stub with MIT Kerberos Windows krb5: fix malloc/free in the GSS debug stub (Windows) Oct 17, 2025
@vszakats vszakats changed the title krb5: fix malloc/free in the GSS debug stub (Windows) krb5: fix output_token allocators in the GSS debug stub (Windows) Oct 17, 2025
@vszakats vszakats closed this in 87b72b8 Oct 17, 2025
@vszakats vszakats deleted the gssstubwin branch October 17, 2025 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

authentication tests Windows Windows-specific

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vszakats