krb5 commit: Fix defcred leak in krb5 gss_inquire_cred()

Wed Jul 21 12:04:59 EDT 2021

https://github.com/krb5/krb5/commit/593e16448e1af23eef74689afe06a7bcc86e79c7
commit 593e16448e1af23eef74689afe06a7bcc86e79c7
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Jul 16 13:39:39 2021 -0400

    Fix defcred leak in krb5 gss_inquire_cred()
    
    Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
    management of krb5_gss_inquire_cred(), introducing defcred to act as
    an owner pointer when the function must acquire a default credential.
    The commit neglected to update the code to release the default cred
    along the successful path.  The old code does not trigger because
    cred_handle is now reassigned, so the default credential is leaked.
    
    Unify the success and failure cleanup for this function so that
    defcred is properly released on success.
    
    Reported by Pavel BÅ™ezina.
    
    ticket: 9016
    tags: pullup
    target_version: 1.19-next
    target_version: 1.18-next

 src/lib/gssapi/krb5/inq_cred.c |   16 ++++++----------
 1 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index a8f2541..bb63b72 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -127,7 +127,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
     if ((code = krb5_timeofday(context, &now))) {
         *minor_status = code;
         ret = GSS_S_FAILURE;
-        goto fail;
+        goto cleanup;
     }
 
     if (cred->expire != 0) {
@@ -158,7 +158,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
             *minor_status = code;
             save_error_info(*minor_status, context);
             ret = GSS_S_FAILURE;
-            goto fail;
+            goto cleanup;
         }
     }
 
@@ -174,7 +174,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
             if (ret_name)
                 kg_release_name(context, &ret_name);
             /* *minor_status set above */
-            goto fail;
+            goto cleanup;
         }
     }
 
@@ -190,20 +190,16 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
 
     if (cred_usage)
         *cred_usage = cred->usage;
-    k5_mutex_unlock(&cred->lock);
 
     if (mechanisms) {
         *mechanisms = mechs;
         mechs = GSS_C_NO_OID_SET;
     }
 
-    if (cred_handle == GSS_C_NO_CREDENTIAL)
-        krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
-
-    krb5_free_context(context);
     *minor_status = 0;
-    return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
-fail:
+    ret = (lifetime == 0) ? GSS_S_CREDENTIALS_EXPIRED : GSS_S_COMPLETE;
+
+cleanup:
     k5_mutex_unlock(&cred->lock);
     krb5_gss_release_cred(&tmpmin, &defcred);
     krb5_free_context(context);
