Fix SSPI login when multiple roundtrips are required

This fixes SSPI login failures showing "The function
requested is not supported", often showing up when connecting
to localhost. The reason was not properly updating the SSPI
handle when multiple roundtrips were required to complete the
authentication sequence.

Report and analysis by Ahmed Shinwari, patch by Magnus Hagander

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index d8f440877b79ac04d703fcd29c363a530d957e87..875d0a39a18fe0c43bd7aae4eec40fedf80c7b16 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -1353,16 +1353,22 @@ pg_SSPI_recvauth(Port *port)
                                                  _("could not accept SSPI security context"), r);
                }
 
+               /*
+                * Overwrite the current context with the one we just received.
+                * If sspictx is NULL it was the first loop and we need to allocate
+                * a buffer for it. On subsequent runs, we can just overwrite the
+                * buffer contents since the size does not change.
+                */
                if (sspictx == NULL)
                {
                        sspictx = malloc(sizeof(CtxtHandle));
                        if (sspictx == NULL)
                                ereport(ERROR,
                                                (errmsg("out of memory")));
-
-                       memcpy(sspictx, &newctx, sizeof(CtxtHandle));
                }
 
+               memcpy(sspictx, &newctx, sizeof(CtxtHandle));
+
                if (r == SEC_I_CONTINUE_NEEDED)
                        elog(DEBUG4, "SSPI continue needed");