[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: crash in 1.4.2 and https

From: Samay <getafix123_at_hotmail.com>
Date: 2006-11-13 23:53:01 CET

> Ben Collins-Sussman wrote:
>> Well, there must be some code somewhere that is calling the svn_auth.h
>> API incorrectly. The API says that the client code should first call
>> svn_auth_first_credentials(), which will either return creds or not.
>> If creds are returned and fail to authenticate, then the caller can
>> try fetching 'more' credentials by calling svn_auth_next_credentials()
>> over and over, until we run out of creds (creds comes back as NULL.)
>> If you look at the code to first_credentials(), the only time the
>> iter_baton is set to NULL is when there are no creds at all. That
>> means the some SSPI code must be calling next_credentials() even when
>> first_credentials() returned nothing! That would very wrong. :-)
>> I can't help with debugging the SSPI scenario, but perhaps we should
>> patch next_credentials() to check that (iter_baton != NULL), and throw
>> a real svn_error_t if it is.
> What would happen if neon tries different auth methods while increasing
> the 'attempt' value each time? Would that maybe cause this kind of crash?
> Because as I understand, Subversion only calls
> svn_auth_first_credentials() if 'attempt' is zero, but it should call this
> for every 'new' auth method. I could be wrong here of course.
> Stefan
> --

it works fine if compiled with Neon 0.25.5. Previous discussion abotu 1.4.0
SVN win32 is here http://svn.haxx.se/users/archive-2006-09/0955.shtml

Issue is reproducible on both on Win32 & Linux when used with https &
SPNego/SSPI authentication if SVN (1.4.0, 1.4.1) is compiled with Neon



To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Nov 13 23:53:20 2006

This is an archived mail posted to the Subversion Dev mailing list.