krb5 commit: Fix unimportant memory leaks
ghudson at mit.edu
ghudson at mit.edu
Tue Oct 10 00:28:09 EDT 2023
https://github.com/krb5/krb5/commit/6c5471176f5266564fbc8a7e02f03b4b042202f8
commit 6c5471176f5266564fbc8a7e02f03b4b042202f8
Author: Steve Grubb <sgrubb at redhat.com>
Date: Thu Jul 13 16:22:30 2023 -0400
Fix unimportant memory leaks
Eliminate memory leaks detected through static analysis and manual
review. These leaks are unlikely to happen repeatedly in long-running
processes.
[jrische at redhat.com: fixed many additional leaks]
[ghudson at mit.edu: fixed additional leaks; edited for style; removed
some unused ksu functions; rewrote commit message]
src/appl/gss-sample/gss-client.c | 367 +++++++++++---------------
src/appl/gss-sample/gss-server.c | 3 +-
src/clients/klist/klist.c | 59 +++--
src/clients/ksu/authorization.c | 134 +++++-----
src/clients/ksu/ccache.c | 283 +++++++-------------
src/clients/ksu/heuristic.c | 128 +++++----
src/clients/ksu/krb_auth_su.c | 134 +++-------
src/clients/ksu/ksu.h | 6 -
src/clients/ksu/main.c | 3 +-
src/kadmin/cli/keytab.c | 6 +-
src/kadmin/ktutil/ktutil.c | 1 +
src/kprop/kpropd.c | 21 +-
src/lib/gssapi/krb5/export_cred.c | 4 +-
src/lib/gssapi/krb5/val_cred.c | 6 +-
src/lib/kadm5/srv/server_kdb.c | 7 +-
src/lib/krb5/ccache/cc_kcm.c | 4 +
src/lib/krb5/ccache/ccfns.c | 12 +-
src/lib/krb5/keytab/kt_file.c | 3 +-
src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 8 +-
19 files changed, 517 insertions(+), 672 deletions(-)
diff --git a/src/appl/gss-sample/gss-client.c b/src/appl/gss-sample/gss-client.c
index 0722ae196..2cfcfc6cc 100644
--- a/src/appl/gss-sample/gss-client.c
+++ b/src/appl/gss-sample/gss-client.c
@@ -182,180 +182,148 @@ client_establish_context(int s, char *service_name, OM_uint32 gss_flags,
char *username, char *password,
gss_ctx_id_t *gss_context, OM_uint32 *ret_flags)
{
- if (auth_flag) {
- gss_buffer_desc send_tok, recv_tok, *token_ptr;
- gss_name_t target_name;
- OM_uint32 maj_stat, min_stat, init_sec_min_stat;
- int token_flags;
- gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
- gss_name_t gss_username = GSS_C_NO_NAME;
- gss_OID_set_desc mechs, *mechsp = GSS_C_NO_OID_SET;
-
- if (spnego) {
- mechs.elements = &gss_spnego_mechanism_oid_desc;
- mechs.count = 1;
- mechsp = &mechs;
- } else if (oid != GSS_C_NO_OID) {
- mechs.elements = oid;
- mechs.count = 1;
- mechsp = &mechs;
- } else {
- mechs.elements = NULL;
- mechs.count = 0;
- }
+ int result = -1, st;
+ gss_buffer_desc send_tok, recv_tok, pwbuf, *token_ptr;
+ gss_name_t target_name = GSS_C_NO_NAME, gss_username = GSS_C_NO_NAME;
+ OM_uint32 maj_stat, min_stat, init_sec_min_stat;
+ int token_flags;
+ gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
+ gss_OID_set_desc mechs, neg_mechs, *mechsp = GSS_C_NO_OID_SET;
+
+ if (!auth_flag)
+ return send_token(s, TOKEN_NOOP, empty_token);
+
+ if (spnego) {
+ mechs.elements = &gss_spnego_mechanism_oid_desc;
+ mechs.count = 1;
+ mechsp = &mechs;
+ } else if (oid != GSS_C_NO_OID) {
+ mechs.elements = oid;
+ mechs.count = 1;
+ mechsp = &mechs;
+ } else {
+ mechs.elements = NULL;
+ mechs.count = 0;
+ }
- if (username != NULL) {
- send_tok.value = username;
- send_tok.length = strlen(username);
+ if (username != NULL) {
+ send_tok.value = username;
+ send_tok.length = strlen(username);
- maj_stat = gss_import_name(&min_stat, &send_tok,
- (gss_OID) gss_nt_user_name,
- &gss_username);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("parsing client name", maj_stat, min_stat);
- return -1;
- }
- }
-
- if (password != NULL) {
- gss_buffer_desc pwbuf;
-
- pwbuf.value = password;
- pwbuf.length = strlen(password);
-
- maj_stat = gss_acquire_cred_with_password(&min_stat,
- gss_username,
- &pwbuf, 0,
- mechsp, GSS_C_INITIATE,
- &cred, NULL, NULL);
- } else if (gss_username != GSS_C_NO_NAME) {
- maj_stat = gss_acquire_cred(&min_stat,
- gss_username, 0,
- mechsp, GSS_C_INITIATE,
- &cred, NULL, NULL);
- } else
- maj_stat = GSS_S_COMPLETE;
+ maj_stat = gss_import_name(&min_stat, &send_tok,
+ (gss_OID) gss_nt_user_name, &gss_username);
if (maj_stat != GSS_S_COMPLETE) {
- display_status("acquiring creds", maj_stat, min_stat);
- gss_release_name(&min_stat, &gss_username);
- return -1;
+ display_status("parsing client name", maj_stat, min_stat);
+ goto cleanup;
}
- if (spnego && oid != GSS_C_NO_OID) {
- gss_OID_set_desc neg_mechs;
-
- neg_mechs.elements = oid;
- neg_mechs.count = 1;
+ }
- maj_stat = gss_set_neg_mechs(&min_stat, cred, &neg_mechs);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("setting neg mechs", maj_stat, min_stat);
- gss_release_name(&min_stat, &gss_username);
- gss_release_cred(&min_stat, &cred);
- return -1;
- }
- }
- gss_release_name(&min_stat, &gss_username);
-
- /*
- * Import the name into target_name. Use send_tok to save
- * local variable space.
- */
- send_tok.value = service_name;
- send_tok.length = strlen(service_name);
- maj_stat = gss_import_name(&min_stat, &send_tok,
- (gss_OID) gss_nt_service_name,
- &target_name);
+ if (password != NULL) {
+ pwbuf.value = password;
+ pwbuf.length = strlen(password);
+
+ maj_stat = gss_acquire_cred_with_password(&min_stat, gss_username,
+ &pwbuf, 0, mechsp,
+ GSS_C_INITIATE, &cred, NULL,
+ NULL);
+ } else if (gss_username != GSS_C_NO_NAME) {
+ maj_stat = gss_acquire_cred(&min_stat, gss_username, 0, mechsp,
+ GSS_C_INITIATE, &cred, NULL, NULL);
+ } else {
+ maj_stat = GSS_S_COMPLETE;
+ }
+ if (maj_stat != GSS_S_COMPLETE) {
+ display_status("acquiring creds", maj_stat, min_stat);
+ goto cleanup;
+ }
+ if (spnego && oid != GSS_C_NO_OID) {
+ neg_mechs.elements = oid;
+ neg_mechs.count = 1;
+ maj_stat = gss_set_neg_mechs(&min_stat, cred, &neg_mechs);
if (maj_stat != GSS_S_COMPLETE) {
- display_status("parsing name", maj_stat, min_stat);
- return -1;
+ display_status("setting neg mechs", maj_stat, min_stat);
+ goto cleanup;
}
+ }
- if (!v1_format) {
- if (send_token(s, TOKEN_NOOP | TOKEN_CONTEXT_NEXT, empty_token) <
- 0) {
- (void) gss_release_name(&min_stat, &target_name);
- return -1;
- }
- }
+ /* Import the name into target_name. Use send_tok to save local variable
+ * space. */
+ send_tok.value = service_name;
+ send_tok.length = strlen(service_name);
+ maj_stat = gss_import_name(&min_stat, &send_tok,
+ (gss_OID) gss_nt_service_name, &target_name);
+ if (maj_stat != GSS_S_COMPLETE) {
+ display_status("parsing name", maj_stat, min_stat);
+ goto cleanup;
+ }
- /*
- * Perform the context-establishement loop.
- *
- * On each pass through the loop, token_ptr points to the token
- * to send to the server (or GSS_C_NO_BUFFER on the first pass).
- * Every generated token is stored in send_tok which is then
- * transmitted to the server; every received token is stored in
- * recv_tok, which token_ptr is then set to, to be processed by
- * the next call to gss_init_sec_context.
- *
- * GSS-API guarantees that send_tok's length will be non-zero
- * if and only if the server is expecting another token from us,
- * and that gss_init_sec_context returns GSS_S_CONTINUE_NEEDED if
- * and only if the server has another token to send us.
- */
-
- token_ptr = GSS_C_NO_BUFFER;
- *gss_context = GSS_C_NO_CONTEXT;
-
- do {
- maj_stat = gss_init_sec_context(&init_sec_min_stat,
- cred, gss_context,
- target_name, mechs.elements,
- gss_flags, 0,
- NULL, /* channel bindings */
- token_ptr, NULL, /* mech type */
- &send_tok, ret_flags,
- NULL); /* time_rec */
-
- if (token_ptr != GSS_C_NO_BUFFER)
- free(recv_tok.value);
-
- if (send_tok.length != 0) {
- if (verbose)
- printf("Sending init_sec_context token (size=%d)...",
- (int) send_tok.length);
- if (send_token(s, v1_format ? 0 : TOKEN_CONTEXT, &send_tok) <
- 0) {
- (void) gss_release_buffer(&min_stat, &send_tok);
- (void) gss_release_name(&min_stat, &target_name);
- return -1;
- }
+ if (!v1_format) {
+ if (send_token(s, TOKEN_NOOP | TOKEN_CONTEXT_NEXT, empty_token) < 0)
+ goto cleanup;
+ }
+
+ /*
+ * Perform the context-establishment loop.
+ *
+ * On each pass through the loop, token_ptr points to the token to send to
+ * the server (or GSS_C_NO_BUFFER on the first pass). Every generated
+ * token is stored in send_tok which is then transmitted to the server;
+ * every received token is stored in recv_tok, which token_ptr is then set
+ * to, to be processed by the next call to gss_init_sec_context.
+ *
+ * GSS-API guarantees that send_tok's length will be non-zero if and only
+ * if the server is expecting another token from us, and that
+ * gss_init_sec_context returns GSS_S_CONTINUE_NEEDED if and only if the
+ * server has another token to send us.
+ */
+
+ token_ptr = GSS_C_NO_BUFFER;
+ *gss_context = GSS_C_NO_CONTEXT;
+
+ do {
+ maj_stat = gss_init_sec_context(&init_sec_min_stat, cred, gss_context,
+ target_name, mechs.elements, gss_flags,
+ 0, NULL, token_ptr, NULL, &send_tok,
+ ret_flags, NULL);
+
+ if (token_ptr != GSS_C_NO_BUFFER)
+ free(recv_tok.value);
+
+ if (send_tok.length > 0) {
+ if (verbose) {
+ printf("Sending init_sec_context token (size=%d)...",
+ (int) send_tok.length);
}
+ st = send_token(s, v1_format ? 0 : TOKEN_CONTEXT, &send_tok);
(void) gss_release_buffer(&min_stat, &send_tok);
+ if (st < 0)
+ goto cleanup;
+ }
- if (maj_stat != GSS_S_COMPLETE
- && maj_stat != GSS_S_CONTINUE_NEEDED) {
- display_status("initializing context", maj_stat,
- init_sec_min_stat);
- (void) gss_release_name(&min_stat, &target_name);
- (void) gss_release_cred(&min_stat, &cred);
- if (*gss_context != GSS_C_NO_CONTEXT)
- gss_delete_sec_context(&min_stat, gss_context,
- GSS_C_NO_BUFFER);
- return -1;
- }
+ if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
+ display_status("initializing context", maj_stat,
+ init_sec_min_stat);
+ goto cleanup;
+ }
- if (maj_stat == GSS_S_CONTINUE_NEEDED) {
- if (verbose)
- printf("continue needed...");
- if (recv_token(s, &token_flags, &recv_tok) < 0) {
- (void) gss_release_name(&min_stat, &target_name);
- return -1;
- }
- token_ptr = &recv_tok;
- }
+ if (maj_stat == GSS_S_CONTINUE_NEEDED) {
if (verbose)
- printf("\n");
- } while (maj_stat == GSS_S_CONTINUE_NEEDED);
+ printf("continue needed...");
+ if (recv_token(s, &token_flags, &recv_tok) < 0)
+ goto cleanup;
+ token_ptr = &recv_tok;
+ }
+ if (verbose)
+ printf("\n");
+ } while (maj_stat == GSS_S_CONTINUE_NEEDED);
- (void) gss_release_cred(&min_stat, &cred);
- (void) gss_release_name(&min_stat, &target_name);
- } else {
- if (send_token(s, TOKEN_NOOP, empty_token) < 0)
- return -1;
- }
+ result = 0;
- return 0;
+cleanup:
+ (void) gss_release_name(&min_stat, &gss_username);
+ (void) gss_release_cred(&min_stat, &cred);
+ (void) gss_release_name(&min_stat, &target_name);
+ return result;
}
static void
@@ -436,11 +404,11 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
{
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_buffer_desc in_buf, out_buf;
- int s, state;
+ int s = -1, result = -1, state;
OM_uint32 ret_flags;
OM_uint32 maj_stat, min_stat;
- gss_name_t src_name, targ_name;
- gss_buffer_desc sname, tname;
+ gss_name_t src_name = GSS_C_NO_NAME, targ_name = GSS_C_NO_NAME;
+ gss_buffer_desc sname = GSS_C_EMPTY_BUFFER, tname = GSS_C_EMPTY_BUFFER;
OM_uint32 lifetime;
gss_OID mechanism, name_type;
int is_local;
@@ -454,14 +422,13 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
/* Open connection */
if ((s = connect_to_server(host, port)) < 0)
- return -1;
+ goto cleanup;
/* Establish context */
if (client_establish_context(s, service_name, gss_flags, auth_flag,
v1_format, oid, username, password,
&context, &ret_flags) < 0) {
- (void) closesocket(s);
- return -1;
+ goto cleanup;
}
if (auth_flag && verbose) {
@@ -475,19 +442,19 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
&is_local, &is_open);
if (maj_stat != GSS_S_COMPLETE) {
display_status("inquiring context", maj_stat, min_stat);
- return -1;
+ goto cleanup;
}
maj_stat = gss_display_name(&min_stat, src_name, &sname, &name_type);
if (maj_stat != GSS_S_COMPLETE) {
display_status("displaying source name", maj_stat, min_stat);
- return -1;
+ goto cleanup;
}
maj_stat = gss_display_name(&min_stat, targ_name, &tname,
(gss_OID *) NULL);
if (maj_stat != GSS_S_COMPLETE) {
display_status("displaying target name", maj_stat, min_stat);
- return -1;
+ goto cleanup;
}
printf("\"%.*s\" to \"%.*s\", lifetime %d, flags %x, %s, %s\n",
(int) sname.length, (char *) sname.value,
@@ -496,15 +463,10 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
(is_local) ? "locally initiated" : "remotely initiated",
(is_open) ? "open" : "closed");
- (void) gss_release_name(&min_stat, &src_name);
- (void) gss_release_name(&min_stat, &targ_name);
- (void) gss_release_buffer(&min_stat, &sname);
- (void) gss_release_buffer(&min_stat, &tname);
-
maj_stat = gss_oid_to_str(&min_stat, name_type, &oid_name);
if (maj_stat != GSS_S_COMPLETE) {
display_status("converting oid->string", maj_stat, min_stat);
- return -1;
+ goto cleanup;
}
printf("Name type of source name is %.*s.\n",
(int) oid_name.length, (char *) oid_name.value);
@@ -515,13 +477,13 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
mechanism, &mech_names);
if (maj_stat != GSS_S_COMPLETE) {
display_status("inquiring mech names", maj_stat, min_stat);
- return -1;
+ goto cleanup;
}
maj_stat = gss_oid_to_str(&min_stat, mechanism, &oid_name);
if (maj_stat != GSS_S_COMPLETE) {
display_status("converting oid->string", maj_stat, min_stat);
- return -1;
+ goto cleanup;
}
printf("Mechanism %.*s supports %d names\n",
(int) oid_name.length, (char *) oid_name.value,
@@ -533,7 +495,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
&mech_names->elements[i], &oid_name);
if (maj_stat != GSS_S_COMPLETE) {
display_status("converting oid->string", maj_stat, min_stat);
- return -1;
+ goto cleanup;
}
printf(" %d: %.*s\n", (int) i,
(int) oid_name.length, (char *) oid_name.value);
@@ -558,10 +520,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
&in_buf, &state, &out_buf);
if (maj_stat != GSS_S_COMPLETE) {
display_status("wrapping message", maj_stat, min_stat);
- (void) closesocket(s);
- (void) gss_delete_sec_context(&min_stat, &context,
- GSS_C_NO_BUFFER);
- return -1;
+ goto cleanup;
} else if (encrypt_flag && !state) {
fprintf(stderr, "Warning! Message not encrypted.\n");
}
@@ -575,22 +534,15 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
(wrap_flag ? TOKEN_WRAPPED : 0) |
(encrypt_flag ? TOKEN_ENCRYPTED : 0) |
(mic_flag ? TOKEN_SEND_MIC : 0))),
- &out_buf) < 0) {
- (void) closesocket(s);
- (void) gss_delete_sec_context(&min_stat, &context,
- GSS_C_NO_BUFFER);
- return -1;
- }
+ &out_buf) < 0)
+ goto cleanup;
+
if (out_buf.value != in_buf.value)
(void) gss_release_buffer(&min_stat, &out_buf);
/* Read signature block into out_buf */
- if (recv_token(s, &token_flags, &out_buf) < 0) {
- (void) closesocket(s);
- (void) gss_delete_sec_context(&min_stat, &context,
- GSS_C_NO_BUFFER);
- return -1;
- }
+ if (recv_token(s, &token_flags, &out_buf) < 0)
+ goto cleanup;
if (mic_flag) {
/* Verify signature block */
@@ -598,10 +550,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
&out_buf, &qop_state);
if (maj_stat != GSS_S_COMPLETE) {
display_status("verifying signature", maj_stat, min_stat);
- (void) closesocket(s);
- (void) gss_delete_sec_context(&min_stat, &context,
- GSS_C_NO_BUFFER);
- return -1;
+ goto cleanup;
}
if (verbose)
@@ -621,23 +570,17 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
if (!v1_format)
(void) send_token(s, TOKEN_NOOP, empty_token);
- if (auth_flag) {
- /* Delete context */
- maj_stat = gss_delete_sec_context(&min_stat, &context, &out_buf);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("deleting context", maj_stat, min_stat);
- (void) closesocket(s);
- (void) gss_delete_sec_context(&min_stat, &context,
- GSS_C_NO_BUFFER);
- return -1;
- }
-
- (void) gss_release_buffer(&min_stat, &out_buf);
- }
-
- (void) closesocket(s);
+ result = 0;
- return 0;
+cleanup:
+ (void) gss_release_name(&min_stat, &src_name);
+ (void) gss_release_name(&min_stat, &targ_name);
+ (void) gss_release_buffer(&min_stat, &sname);
+ (void) gss_release_buffer(&min_stat, &tname);
+ (void) gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
+ if (s >= 0)
+ (void) closesocket(s);
+ return result;
}
static void
diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c
index 0e9c857e5..4ba864d9f 100644
--- a/src/appl/gss-sample/gss-server.c
+++ b/src/appl/gss-sample/gss-server.c
@@ -138,13 +138,12 @@ server_acquire_creds(char *service_name, gss_OID mech,
}
maj_stat = gss_acquire_cred(&min_stat, server_name, 0, mechs, GSS_C_ACCEPT,
server_creds, NULL, NULL);
+ (void) gss_release_name(&min_stat, &server_name);
if (maj_stat != GSS_S_COMPLETE) {
display_status("acquiring credentials", maj_stat, min_stat);
return -1;
}
- (void) gss_release_name(&min_stat, &server_name);
-
return 0;
}
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index c797b1698..b5ae96a84 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -469,20 +469,21 @@ do_ccache()
static int
show_ccache(krb5_ccache cache)
{
- krb5_cc_cursor cur;
+ krb5_cc_cursor cur = NULL;
krb5_creds creds;
- krb5_principal princ;
+ krb5_principal princ = NULL;
krb5_error_code ret;
+ int status = 1;
ret = krb5_cc_get_principal(context, cache, &princ);
if (ret) {
com_err(progname, ret, "");
- return 1;
+ goto cleanup;
}
ret = krb5_unparse_name(context, princ, &defname);
if (ret) {
com_err(progname, ret, _("while unparsing principal name"));
- return 1;
+ goto cleanup;
}
printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"),
@@ -498,27 +499,33 @@ show_ccache(krb5_ccache cache)
ret = krb5_cc_start_seq_get(context, cache, &cur);
if (ret) {
com_err(progname, ret, _("while starting to retrieve tickets"));
- return 1;
+ goto cleanup;
}
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (show_config || !krb5_is_config_principal(context, creds.server))
show_credential(&creds);
krb5_free_cred_contents(context, &creds);
}
- krb5_free_principal(context, princ);
- krb5_free_unparsed_name(context, defname);
- defname = NULL;
if (ret == KRB5_CC_END) {
ret = krb5_cc_end_seq_get(context, cache, &cur);
+ cur = NULL;
if (ret) {
com_err(progname, ret, _("while finishing ticket retrieval"));
- return 1;
+ goto cleanup;
}
- return 0;
} else {
com_err(progname, ret, _("while retrieving a ticket"));
- return 1;
+ goto cleanup;
}
+
+ status = 0;
+
+cleanup:
+ if (cur != NULL)
+ (void)krb5_cc_end_seq_get(context, cache, &cur);
+ krb5_free_principal(context, princ);
+ krb5_free_unparsed_name(context, defname);
+ return status;
}
/* Return 0 if cache is accessible, present, and unexpired; return 1 if not. */
@@ -526,15 +533,18 @@ static int
check_ccache(krb5_ccache cache)
{
krb5_error_code ret;
- krb5_cc_cursor cur;
+ krb5_cc_cursor cur = NULL;
krb5_creds creds;
- krb5_principal princ;
- krb5_boolean found_tgt, found_current_tgt, found_current_cred;
+ krb5_principal princ = NULL;
+ krb5_boolean found_tgt = FALSE, found_current_tgt = FALSE;
+ krb5_boolean found_current_cred = FALSE;
- if (krb5_cc_get_principal(context, cache, &princ) != 0)
- return 1;
- if (krb5_cc_start_seq_get(context, cache, &cur) != 0)
- return 1;
+ ret = krb5_cc_get_principal(context, cache, &princ);
+ if (ret)
+ goto cleanup;
+ ret = krb5_cc_start_seq_get(context, cache, &cur);
+ if (ret)
+ goto cleanup;
found_tgt = found_current_tgt = found_current_cred = FALSE;
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (is_local_tgt(creds.server, &princ->realm)) {
@@ -547,12 +557,17 @@ check_ccache(krb5_ccache cache)
}
krb5_free_cred_contents(context, &creds);
}
- krb5_free_principal(context, princ);
if (ret != KRB5_CC_END)
- return 1;
- if (krb5_cc_end_seq_get(context, cache, &cur) != 0)
- return 1;
+ goto cleanup;
+ ret = krb5_cc_end_seq_get(context, cache, &cur);
+ cur = NULL;
+cleanup:
+ if (cur != NULL)
+ (void)krb5_cc_end_seq_get(context, cache, &cur);
+ krb5_free_principal(context, princ);
+ if (ret)
+ return 1;
/* If the cache contains at least one local TGT, require that it be
* current. Otherwise accept any current cred. */
if (found_tgt)
diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c
index 17a8a8f2f..1f2650c2a 100644
--- a/src/clients/ksu/authorization.c
+++ b/src/clients/ksu/authorization.c
@@ -28,7 +28,17 @@
#include "ksu.h"
-static void auth_cleanup (FILE *, FILE *, char *);
+static void
+free_fcmd_list(char **list)
+{
+ size_t i;
+
+ if (list == NULL)
+ return;
+ for (i = 0; i < MAX_CMD && list[i] != NULL; i++)
+ free(list[i]);
+ free(list);
+}
krb5_boolean
fowner(FILE *fp, uid_t uid)
@@ -52,10 +62,10 @@ fowner(FILE *fp, uid_t uid)
/*
* Given a Kerberos principal "principal", and a local username "luser",
- * determine whether user is authorized to login according to the
- * authorization files ~luser/.k5login" and ~luser/.k5users. Returns TRUE
- * if authorized, FALSE if not authorized.
- *
+ * determine whether user is authorized to login according to the authorization
+ * files ~luser/.k5login" and ~luser/.k5users. Set *ok to TRUE if authorized,
+ * FALSE if not authorized. Return 0 if the authorization check succeeded
+ * (regardless of its result), non-zero if it encountered an error.
*/
krb5_error_code
@@ -64,7 +74,7 @@ krb5_authorization(krb5_context context, krb5_principal principal,
char **out_fcmd)
{
struct passwd *pwd;
- char *princname;
+ char *princname = NULL;
int k5login_flag =0;
int k5users_flag =0;
krb5_boolean retbool =FALSE;
@@ -76,7 +86,7 @@ krb5_authorization(krb5_context context, krb5_principal principal,
/* no account => no access */
if ((pwd = getpwnam(luser)) == NULL)
- return 0;
+ goto cleanup;
retval = krb5_unparse_name(context, principal, &princname);
if (retval)
@@ -93,22 +103,19 @@ krb5_authorization(krb5_context context, krb5_principal principal,
/* k5login and k5users must be owned by target user or root */
if (!k5login_flag){
- if ((login_fp = fopen(k5login_path, "r")) == NULL)
- return 0;
- if ( fowner(login_fp, pwd->pw_uid) == FALSE) {
- fclose(login_fp);
- return 0;
- }
+ login_fp = fopen(k5login_path, "r");
+ if (login_fp == NULL)
+ goto cleanup;
+ if (fowner(login_fp, pwd->pw_uid) == FALSE)
+ goto cleanup;
}
if (!k5users_flag){
- if ((users_fp = fopen(k5users_path, "r")) == NULL) {
- return 0;
- }
- if ( fowner(users_fp, pwd->pw_uid) == FALSE){
- fclose(users_fp);
- return 0;
- }
+ users_fp = fopen(k5users_path, "r");
+ if (users_fp == NULL)
+ goto cleanup;
+ if (fowner(users_fp, pwd->pw_uid) == FALSE)
+ goto cleanup;
}
if (auth_debug){
@@ -127,10 +134,8 @@ krb5_authorization(krb5_context context, krb5_principal principal,
princname);
retval = k5login_lookup(login_fp, princname, &retbool);
- if (retval) {
- auth_cleanup(users_fp, login_fp, princname);
- return retval;
- }
+ if (retval)
+ goto cleanup;
if (retbool) {
if (cmd)
*out_fcmd = xstrdup(cmd);
@@ -140,10 +145,8 @@ krb5_authorization(krb5_context context, krb5_principal principal,
if ((!k5users_flag) && (retbool == FALSE) ){
retval = k5users_lookup (users_fp, princname,
cmd, &retbool, out_fcmd);
- if(retval) {
- auth_cleanup(users_fp, login_fp, princname);
- return retval;
- }
+ if (retval)
+ goto cleanup;
}
if (k5login_flag && k5users_flag){
@@ -159,8 +162,14 @@ krb5_authorization(krb5_context context, krb5_principal principal,
}
*ok =retbool;
- auth_cleanup(users_fp, login_fp, princname);
- return 0;
+
+cleanup:
+ if (users_fp != NULL)
+ fclose(users_fp);
+ if (login_fp != NULL)
+ fclose(login_fp);
+ free(princname);
+ return retval;
}
/***********************************************************
@@ -320,10 +329,11 @@ krb5_boolean
fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
{
char * err;
- char ** tmp_fcmd;
+ char ** tmp_fcmd = NULL;
char * path_ptr, *path;
char * lp, * tc;
int i=0;
+ krb5_boolean ok = FALSE;
tmp_fcmd = (char **) xcalloc (MAX_CMD, sizeof(char *));
@@ -331,7 +341,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
tmp_fcmd[0] = xstrdup(fcmd);
tmp_fcmd[1] = NULL;
*out_fcmd = tmp_fcmd;
- return TRUE;
+ tmp_fcmd = NULL;
}else{
/* must be either full path or just the cmd name */
if (strchr(fcmd, '/')){
@@ -339,7 +349,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
"either full path or just the cmd name\n"),
fcmd, KRB5_USERS_NAME);
*out_err = err;
- return FALSE;
+ goto cleanup;
}
#ifndef CMD_PATH
@@ -347,7 +357,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
"the cmd name, CMD_PATH must be defined \n"),
fcmd, KRB5_USERS_NAME, fcmd);
*out_err = err;
- return FALSE;
+ goto cleanup;
#else
path = xstrdup (CMD_PATH);
@@ -361,7 +371,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
asprintf(&err, _("Error: bad entry - %s in %s file, CMD_PATH "
"contains no paths \n"), fcmd, KRB5_USERS_NAME);
*out_err = err;
- return FALSE;
+ goto cleanup;
}
i=0;
@@ -370,7 +380,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
asprintf(&err, _("Error: bad path %s in CMD_PATH for %s must "
"start with '/' \n"), tc, KRB5_USERS_NAME );
*out_err = err;
- return FALSE;
+ goto cleanup;
}
tmp_fcmd[i] = xasprintf("%s/%s", tc, fcmd);
@@ -381,10 +391,15 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
tmp_fcmd[i] = NULL;
*out_fcmd = tmp_fcmd;
- return TRUE;
-
+ tmp_fcmd = NULL;
#endif /* CMD_PATH */
}
+
+ ok = TRUE;
+
+cleanup:
+ free_fcmd_list(tmp_fcmd);
+ return ok;
}
/********************************************
@@ -503,41 +518,42 @@ int
match_commands(char *fcmd, char *cmd, krb5_boolean *match,
char **cmd_out, char **err_out)
{
- char ** fcmd_arr;
+ char ** fcmd_arr = NULL;
char * err;
char * cmd_temp;
+ int result = 1;
if(fcmd_resolve(fcmd, &fcmd_arr, &err )== FALSE ){
*err_out = err;
- return 1;
+ goto cleanup;
}
if (cmd_single( cmd ) == TRUE){
if (!cmd_arr_cmp_postfix(fcmd_arr, cmd)){ /* found */
-
- if(find_first_cmd_that_exists( fcmd_arr,&cmd_temp,&err)== TRUE){
- *match = TRUE;
- *cmd_out = cmd_temp;
- return 0;
- }else{
+ if (!find_first_cmd_that_exists(fcmd_arr, &cmd_temp, &err)) {
*err_out = err;
- return 1;
+ goto cleanup;
}
- }else{
+
+ *match = TRUE;
+ *cmd_out = cmd_temp;
+ } else {
*match = FALSE;
- return 0;
}
}else{
if (!cmd_arr_cmp(fcmd_arr, cmd)){ /* found */
*match = TRUE;
*cmd_out = xstrdup(cmd);
- return 0;
} else{
*match = FALSE;
- return 0;
}
}
+ result = 0;
+
+cleanup:
+ free_fcmd_list(fcmd_arr);
+ return result;
}
/*********************************************************
@@ -563,10 +579,7 @@ get_line(FILE *fp, char **out_line)
}
else {
chunk_count ++;
- if(!( line = (char *) realloc( line,
- chunk_count * sizeof(char) * BUFSIZ))){
- return ENOMEM;
- }
+ line = xrealloc(line, chunk_count * BUFSIZ);
line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ;
}
@@ -652,17 +665,6 @@ get_next_token (char **lnext)
return out_ptr;
}
-static void
-auth_cleanup(FILE *users_fp, FILE *login_fp, char *princname)
-{
-
- free (princname);
- if (users_fp)
- fclose(users_fp);
- if (login_fp)
- fclose(login_fp);
-}
-
void
init_auth_names(char *pw_dir)
{
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index cca9ce2df..76cb1d6aa 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -40,6 +40,18 @@ copies the default cache into the secondary cache,
************************************************************************/
+static void
+free_creds_list(krb5_context context, krb5_creds **list)
+{
+ size_t i;
+
+ if (list == NULL)
+ return;
+ for (i = 0; list[i]; i++)
+ krb5_free_creds(context, list[i]);
+ free(list);
+}
+
void show_credential(krb5_context, krb5_creds *, krb5_ccache);
/* modifies only the cc_other, the algorithm may look a bit funny,
@@ -53,20 +65,19 @@ krb5_ccache_copy(krb5_context context, krb5_ccache cc_def,
krb5_boolean restrict_creds, krb5_principal primary_principal,
krb5_boolean *stored)
{
- int i=0;
krb5_error_code retval=0;
krb5_creds ** cc_def_creds_arr = NULL;
krb5_creds ** cc_other_creds_arr = NULL;
if (ks_ccache_is_initialized(context, cc_def)) {
- if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
- return retval;
- }
+ retval = krb5_get_nonexp_tkts(context, cc_def, &cc_def_creds_arr);
+ if (retval)
+ goto cleanup;
}
retval = krb5_cc_initialize(context, cc_target, target_principal);
if (retval)
- return retval;
+ goto cleanup;
if (restrict_creds) {
retval = krb5_store_some_creds(context, cc_target, cc_def_creds_arr,
@@ -79,22 +90,9 @@ krb5_ccache_copy(krb5_context context, krb5_ccache cc_def,
cc_other_creds_arr);
}
- if (cc_def_creds_arr){
- while (cc_def_creds_arr[i]){
- krb5_free_creds(context, cc_def_creds_arr[i]);
- i++;
- }
- }
-
- i=0;
-
- if(cc_other_creds_arr){
- while (cc_other_creds_arr[i]){
- krb5_free_creds(context, cc_other_creds_arr[i]);
- i++;
- }
- }
-
+cleanup:
+ free_creds_list(context, cc_def_creds_arr);
+ free_creds_list(context, cc_other_creds_arr);
return retval;
}
@@ -184,32 +182,29 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
{
krb5_creds creds, temp_tktq, temp_tkt;
- krb5_creds **temp_creds;
+ krb5_creds **temp_creds = NULL;
krb5_error_code retval=0;
krb5_cc_cursor cur;
int count = 0;
int chunk_count = 1;
- if ( ! ( temp_creds = (krb5_creds **) malloc( CHUNK * sizeof(krb5_creds *)))){
- return ENOMEM;
- }
-
-
+ temp_creds = xcalloc(CHUNK, sizeof(*temp_creds));
memset(&temp_tktq, 0, sizeof(temp_tktq));
memset(&temp_tkt, 0, sizeof(temp_tkt));
memset(&creds, 0, sizeof(creds));
/* initialize the cursor */
- if ((retval = krb5_cc_start_seq_get(context, cc, &cur))) {
- return retval;
- }
+ retval = krb5_cc_start_seq_get(context, cc, &cur);
+ if (retval)
+ goto cleanup;
while (!(retval = krb5_cc_next_cred(context, cc, &cur, &creds))){
if (!krb5_is_config_principal(context, creds.server) &&
(retval = krb5_check_exp(context, creds.times))){
+ krb5_free_cred_contents(context, &creds);
if (retval != KRB5KRB_AP_ERR_TKT_EXPIRED){
- return retval;
+ goto cleanup;
}
if (auth_debug){
fprintf(stderr,"krb5_ccache_copy: CREDS EXPIRED:\n");
@@ -219,19 +214,19 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
}
}
else { /* these credentials didn't expire */
-
- if ((retval = krb5_copy_creds(context, &creds,
- &temp_creds[count]))){
- return retval;
- }
+ retval = krb5_copy_creds(context, &creds, &temp_creds[count]);
+ krb5_free_cred_contents(context, &creds);
+ temp_creds[count+1] = NULL;
+ if (retval)
+ goto cleanup;
count ++;
if (count == (chunk_count * CHUNK -1)){
chunk_count ++;
- if (!(temp_creds = (krb5_creds **) realloc(temp_creds,
- chunk_count * CHUNK * sizeof(krb5_creds *)))){
- return ENOMEM;
- }
+
+ temp_creds = xrealloc(temp_creds,
+ chunk_count * CHUNK *
+ sizeof(*temp_creds));
}
}
@@ -239,13 +234,15 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
temp_creds[count] = NULL;
*creds_array = temp_creds;
+ temp_creds = NULL;
if (retval == KRB5_CC_END) {
retval = krb5_cc_end_seq_get(context, cc, &cur);
}
+cleanup:
+ free_creds_list(context, temp_creds);
return retval;
-
}
krb5_error_code
@@ -315,122 +312,33 @@ printtime(krb5_timestamp ts)
printf("%s", fmtbuf);
}
-
-krb5_error_code
-krb5_get_login_princ(const char *luser, char ***princ_list)
-{
- struct stat sbuf;
- struct passwd *pwd;
- char pbuf[MAXPATHLEN];
- FILE *fp;
- char * linebuf;
- char *newline;
- int gobble, result;
- char ** buf_out;
- struct stat st_temp;
- int count = 0, chunk_count = 1;
-
- /* no account => no access */
-
- if ((pwd = getpwnam(luser)) == NULL) {
- return 0;
- }
- result = snprintf(pbuf, sizeof(pbuf), "%s/.k5login", pwd->pw_dir);
- if (SNPRINTF_OVERFLOW(result, sizeof(pbuf))) {
- fprintf(stderr, _("home directory path for %s too long\n"), luser);
- exit (1);
- }
-
- if (stat(pbuf, &st_temp)) { /* not accessible */
- return 0;
- }
-
-
- /* open ~/.k5login */
- if ((fp = fopen(pbuf, "r")) == NULL) {
- return 0;
- }
- /*
- * For security reasons, the .k5login file must be owned either by
- * the user himself, or by root. Otherwise, don't grant access.
- */
- if (fstat(fileno(fp), &sbuf)) {
- fclose(fp);
- return 0;
- }
- if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) {
- fclose(fp);
- return 0;
- }
-
- /* check each line */
-
-
- if( !(linebuf = (char *) calloc (BUFSIZ, sizeof(char)))) return ENOMEM;
-
- if (!(buf_out = (char **) malloc( CHUNK * sizeof(char *)))) return ENOMEM;
-
- while ( fgets(linebuf, BUFSIZ, fp) != NULL) {
- /* null-terminate the input string */
- linebuf[BUFSIZ-1] = '\0';
- newline = NULL;
- /* nuke the newline if it exists */
- if ((newline = strchr(linebuf, '\n')))
- *newline = '\0';
-
- buf_out[count] = linebuf;
- count ++;
-
- if (count == (chunk_count * CHUNK -1)){
- chunk_count ++;
- if (!(buf_out = (char **) realloc(buf_out,
- chunk_count * CHUNK * sizeof(char *)))){
- return ENOMEM;
- }
- }
-
- /* clean up the rest of the line if necessary */
- if (!newline)
- while (((gobble = getc(fp)) != EOF) && gobble != '\n');
-
- if( !(linebuf = (char *) calloc (BUFSIZ, sizeof(char)))) return ENOMEM;
- }
-
- buf_out[count] = NULL;
- *princ_list = buf_out;
- fclose(fp);
- return 0;
-}
-
void
show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc)
{
krb5_error_code retval;
- char *name, *sname, *flags;
+ char *name = NULL, *sname = NULL, *defname = NULL, *flags;
int first = 1;
- krb5_principal princ;
- char * defname;
+ krb5_principal princ = NULL;
int show_flags =1;
retval = krb5_unparse_name(context, cred->client, &name);
if (retval) {
com_err(prog_name, retval, _("while unparsing client name"));
- return;
+ goto cleanup;
}
retval = krb5_unparse_name(context, cred->server, &sname);
if (retval) {
com_err(prog_name, retval, _("while unparsing server name"));
- free(name);
- return;
+ goto cleanup;
}
if ((retval = krb5_cc_get_principal(context, cc, &princ))) {
com_err(prog_name, retval, _("while retrieving principal name"));
- return;
+ goto cleanup;
}
if ((retval = krb5_unparse_name(context, princ, &defname))) {
com_err(prog_name, retval, _("while unparsing principal name"));
- return;
+ goto cleanup;
}
if (!cred->times.starttime)
@@ -468,8 +376,12 @@ show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc)
}
}
putchar('\n');
+
+cleanup:
free(name);
free(sname);
+ free(defname);
+ krb5_free_principal(context, princ);
}
/* Create a random string suitable for a filename extension. */
@@ -501,37 +413,26 @@ krb5_ccache_overwrite(krb5_context context, krb5_ccache ccs, krb5_ccache cct,
krb5_principal primary_principal)
{
krb5_error_code retval=0;
- krb5_principal temp_principal;
+ krb5_principal defprinc = NULL, princ;
krb5_creds ** ccs_creds_arr = NULL;
- int i=0;
if (ks_ccache_is_initialized(context, ccs)) {
- if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){
- return retval;
- }
+ retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr);
+ if (retval)
+ goto cleanup;
}
- if (ks_ccache_is_initialized(context, cct)) {
- if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){
- return retval;
- }
- }else{
- temp_principal = primary_principal;
- }
-
- if ((retval = krb5_cc_initialize(context, cct, temp_principal))){
- return retval;
- }
+ retval = krb5_cc_get_principal(context, cct, &defprinc);
+ princ = (retval == 0) ? defprinc : primary_principal;
+ retval = krb5_cc_initialize(context, cct, princ);
+ if (retval)
+ goto cleanup;
retval = krb5_store_all_creds(context, cct, ccs_creds_arr, NULL);
- if (ccs_creds_arr){
- while (ccs_creds_arr[i]){
- krb5_free_creds(context, ccs_creds_arr[i]);
- i++;
- }
- }
-
+cleanup:
+ free_creds_list(context, ccs_creds_arr);
+ krb5_free_principal(context, defprinc);
return retval;
}
@@ -585,45 +486,40 @@ krb5_error_code
krb5_ccache_filter(krb5_context context, krb5_ccache cc, krb5_principal prst)
{
- int i=0;
krb5_error_code retval=0;
- krb5_principal temp_principal;
+ krb5_principal temp_principal = NULL;
krb5_creds ** cc_creds_arr = NULL;
const char * cc_name;
krb5_boolean stored;
- cc_name = krb5_cc_get_name(context, cc);
+ if (!ks_ccache_is_initialized(context, cc))
+ return 0;
- if (ks_ccache_is_initialized(context, cc)) {
- if (auth_debug) {
- fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name);
- }
+ if (auth_debug) {
+ cc_name = krb5_cc_get_name(context, cc);
+ fprintf(stderr, "putting cache %s through a filter for -z option\n",
+ cc_name);
+ }
- if ((retval = krb5_get_nonexp_tkts(context, cc, &cc_creds_arr))){
- return retval;
- }
+ retval = krb5_get_nonexp_tkts(context, cc, &cc_creds_arr);
+ if (retval)
+ goto cleanup;
- if ((retval = krb5_cc_get_principal(context, cc, &temp_principal))){
- return retval;
- }
+ retval = krb5_cc_get_principal(context, cc, &temp_principal);
+ if (retval)
+ goto cleanup;
- if ((retval = krb5_cc_initialize(context, cc, temp_principal))){
- return retval;
- }
+ retval = krb5_cc_initialize(context, cc, temp_principal);
+ if (retval)
+ goto cleanup;
- if ((retval = krb5_store_some_creds(context, cc, cc_creds_arr,
- NULL, prst, &stored))){
- return retval;
- }
+ retval = krb5_store_some_creds(context, cc, cc_creds_arr, NULL, prst,
+ &stored);
- if (cc_creds_arr){
- while (cc_creds_arr[i]){
- krb5_free_creds(context, cc_creds_arr[i]);
- i++;
- }
- }
- }
- return 0;
+cleanup:
+ free_creds_list(context, cc_creds_arr);
+ krb5_free_principal(context, temp_principal);
+ return retval;
}
krb5_boolean
@@ -654,17 +550,20 @@ krb5_error_code
krb5_find_princ_in_cache(krb5_context context, krb5_ccache cc,
krb5_principal princ, krb5_boolean *found)
{
- krb5_error_code retval;
+ krb5_error_code retval = 0;
krb5_creds ** creds_list = NULL;
if (ks_ccache_is_initialized(context, cc)) {
- if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){
- return retval;
- }
+ retval = krb5_get_nonexp_tkts(context, cc, &creds_list);
+ if (retval)
+ goto cleanup;
}
*found = krb5_find_princ_in_cred_list(context, creds_list, princ);
- return 0;
+
+cleanup:
+ free_creds_list(context, creds_list);
+ return retval;
}
krb5_boolean
diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
index e906de8ef..6ed94eb88 100644
--- a/src/clients/ksu/heuristic.c
+++ b/src/clients/ksu/heuristic.c
@@ -149,28 +149,31 @@ filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list)
*k5users_filt_list = NULL;
- if (! k5users_list){
+ if (k5users_list == NULL)
return 0;
- }
while(k5users_list[i]){
+ free(out_cmd);
+ out_cmd = NULL;
retval= k5users_lookup(fp, k5users_list[i], cmd, &found, &out_cmd);
if (retval)
- return retval;
+ goto cleanup;
if (found == FALSE){
free (k5users_list[i]);
k5users_list[i] = NULL;
- if (out_cmd) gb_err = out_cmd;
+ if (out_cmd) {
+ gb_err = out_cmd;
+ out_cmd = NULL;
+ }
} else
found_count ++;
i++;
}
- if (! (temp_filt_list = (char **) calloc(found_count +1, sizeof (char*))))
- return ENOMEM;
+ temp_filt_list = xcalloc(found_count + 1, sizeof(*temp_filt_list));
for(j= 0, k=0; j < i; j++ ) {
if (k5users_list[j]){
@@ -184,7 +187,10 @@ filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list)
free (k5users_list);
*k5users_filt_list = temp_filt_list;
- return 0;
+
+cleanup:
+ free(out_cmd);
+ return retval;
}
krb5_error_code
@@ -318,7 +324,7 @@ get_closest_principal(krb5_context context, char **plist,
retval = krb5_parse_name(context, plist[i], &temp_client);
if (retval)
- return retval;
+ goto cleanup;
pnelem = krb5_princ_size(context, temp_client);
@@ -346,6 +352,7 @@ get_closest_principal(krb5_context context, char **plist,
if(best_client){
if(krb5_princ_size(context, best_client) >
krb5_princ_size(context, temp_client)){
+ krb5_free_principal(context, best_client);
best_client = temp_client;
}
}else
@@ -358,9 +365,12 @@ get_closest_principal(krb5_context context, char **plist,
if (best_client) {
*found = TRUE;
*client = best_client;
+ best_client = NULL;
}
- return 0;
+cleanup:
+ krb5_free_principal(context, best_client);
+ return retval;
}
/****************************************************************
@@ -471,6 +481,7 @@ find_princ_in_list(krb5_context context, krb5_principal princ, char **plist,
i++;
}
+ free(princname);
return 0;
}
@@ -498,11 +509,9 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
{
princ_info princ_trials[10];
- krb5_principal cc_def_princ = NULL;
- krb5_principal temp_client;
- krb5_principal target_client;
- krb5_principal source_client;
- krb5_principal end_server;
+ krb5_principal cc_def_princ = NULL, temp_client = NULL;
+ krb5_principal target_client = NULL, source_client = NULL;
+ krb5_principal end_server = NULL;
krb5_error_code retval;
char ** aplist =NULL;
krb5_boolean found = FALSE;
@@ -519,54 +528,59 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
if (ks_ccache_is_initialized(context, cc_source)) {
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
if (retval)
- return retval;
+ goto cleanup;
}
retval=krb5_parse_name(context, target_user, &target_client);
if (retval)
- return retval;
+ goto cleanup;
retval=krb5_parse_name(context, source_user, &source_client);
if (retval)
- return retval;
+ goto cleanup;
- if (source_uid == 0){
- if (target_uid != 0)
- *client = target_client; /* this will be used to restrict
- the cache copty */
- else {
- if(cc_def_princ)
- *client = cc_def_princ;
- else
- *client = target_client;
+ if (source_uid == 0) {
+ if (target_uid != 0) {
+ /* This will be used to restrict the cache copy. */
+ *client = target_client;
+ target_client = NULL;
+ } else if (cc_def_princ != NULL) {
+ *client = cc_def_princ;
+ cc_def_princ = NULL;
+ } else {
+ *client = target_client;
+ target_client = NULL;
}
-
if (auth_debug)
printf(" GET_best_princ_for_target: via source_uid == 0\n");
-
- return 0;
+ goto cleanup;
}
/* from here on, the code is for source_uid != 0 */
if (source_uid && (source_uid == target_uid)){
- if(cc_def_princ)
+ if (cc_def_princ != NULL) {
*client = cc_def_princ;
- else
+ cc_def_princ = NULL;
+ } else {
*client = target_client;
+ target_client = NULL;
+ }
if (auth_debug)
printf("GET_best_princ_for_target: via source_uid == target_uid\n");
- return 0;
+ goto cleanup;
}
/* Become root, then target for looking at .k5login.*/
if (krb5_seteuid(0) || krb5_seteuid(target_uid) ) {
- return errno;
+ retval = errno;
+ goto cleanup;
}
/* if .k5users and .k5login do not exist */
if (stat(k5login_path, &tb) && stat(k5users_path, &tb) ){
*client = target_client;
+ target_client = NULL;
if (cmd)
*path_out = NOT_AUTHORIZED;
@@ -574,26 +588,25 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
if (auth_debug)
printf(" GET_best_princ_for_target: via no auth files path\n");
- return 0;
+ goto cleanup;
}else{
retval = get_authorized_princ_names(target_user, cmd, &aplist);
if (retval)
- return retval;
+ goto cleanup;
/* .k5users or .k5login exist, but no authorization */
if ((!aplist) || (!aplist[0])) {
*path_out = NOT_AUTHORIZED;
if (auth_debug)
printf("GET_best_princ_for_target: via empty auth files path\n");
- return 0;
+ goto cleanup;
}
}
retval = krb5_sname_to_principal(context, hostname, NULL,
KRB5_NT_SRV_HST, &end_server);
if (retval)
- return retval;
-
+ goto cleanup;
/* first see if default principal of the source cache
* can get us in, then the target_user at realm, then the
@@ -616,7 +629,7 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
retval= find_princ_in_list(context, princ_trials[i].p, aplist,
&found);
if (retval)
- return retval;
+ goto cleanup;
if (found == TRUE){
princ_trials[i].found = TRUE;
@@ -625,12 +638,13 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
princ_trials[i].p,
end_server, &found);
if (retval)
- return retval;
+ goto cleanup;
if (found == TRUE){
- *client = princ_trials[i].p;
+ retval = krb5_copy_principal(context, princ_trials[i].p,
+ client);
if (auth_debug)
printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i);
- return 0;
+ goto cleanup;
}
}
}
@@ -643,21 +657,23 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
while (aplist[i]){
retval = krb5_parse_name(context, aplist[i], &temp_client);
if (retval)
- return retval;
+ goto cleanup;
retval = find_either_ticket (context, cc_source, temp_client,
end_server, &found);
if (retval)
- return retval;
+ goto cleanup;
if (found == TRUE){
if (auth_debug)
printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" );
*client = temp_client;
- return 0;
+ temp_client = NULL;
+ goto cleanup;
}
krb5_free_principal(context, temp_client);
+ temp_client = NULL;
i++;
}
@@ -668,11 +684,11 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
for (i=0; i < count; i ++){
if (princ_trials[i].found == TRUE){
- *client = princ_trials[i].p;
+ retval = krb5_copy_principal(context, princ_trials[i].p, client);
if (auth_debug)
printf("GET_best_princ_for_target: via prompt passwd list choice #%d \n",i);
- return 0;
+ goto cleanup;
}
}
@@ -682,7 +698,7 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
retval=krb5_copy_principal(context, princ_trials[i].p,
&temp_client);
if(retval)
- return retval;
+ goto cleanup;
/* get the client name that is the closest
to the three princ in trials */
@@ -690,15 +706,15 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
retval=get_closest_principal(context, aplist, &temp_client,
&found);
if(retval)
- return retval;
+ goto cleanup;
if (found == TRUE){
*client = temp_client;
+ temp_client = NULL;
if (auth_debug)
printf("GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i);
- return 0;
+ goto cleanup;
}
- krb5_free_principal(context, temp_client);
}
}
@@ -709,5 +725,13 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n");
*path_out = NOT_AUTHORIZED;
- return 0;
+ retval = 0;
+
+cleanup:
+ krb5_free_principal(context, cc_def_princ);
+ krb5_free_principal(context, target_client);
+ krb5_free_principal(context, source_client);
+ krb5_free_principal(context, temp_client);
+ krb5_free_principal(context, end_server);
+ return retval;
}
diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
index db10251f9..68cfe6b0e 100644
--- a/src/clients/ksu/krb_auth_su.c
+++ b/src/clients/ksu/krb_auth_su.c
@@ -37,33 +37,31 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
char *target_user, krb5_ccache cc, int *path_passwd,
uid_t target_uid)
{
- krb5_principal client;
+ krb5_principal client = NULL;
krb5_verify_init_creds_opt vfy_opts;
- krb5_creds tgt, tgtq;
+ krb5_creds tgt = { 0 }, tgtq = { 0 };
krb5_error_code retval =0;
int got_it = 0;
krb5_boolean zero_password;
+ krb5_boolean ok = FALSE;
*path_passwd = 0;
- memset(&tgtq, 0, sizeof(tgtq));
- memset(&tgt, 0, sizeof(tgt));
if ((retval= krb5_copy_principal(context, client_pname, &client))){
com_err(prog_name, retval, _("while copying client principal"));
- return (FALSE) ;
+ goto cleanup;
}
if ((retval= krb5_copy_principal(context, client, &tgtq.client))){
com_err(prog_name, retval, _("while copying client principal"));
- return (FALSE) ;
+ goto cleanup;
}
if ((retval = ksu_tgtname(context, krb5_princ_realm(context, client),
krb5_princ_realm(context, client),
&tgtq.server))){
com_err(prog_name, retval, _("while creating tgt for local realm"));
- krb5_free_principal(context, client);
- return (FALSE) ;
+ goto cleanup;
}
if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); }
@@ -77,7 +75,7 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
if ((retval != KRB5_CC_NOTFOUND) &&
(retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){
com_err(prog_name, retval, _("while retrieving creds from cache"));
- return (FALSE) ;
+ goto cleanup;
}
} else{
got_it = 1;
@@ -88,7 +86,7 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
#ifdef GET_TGT_VIA_PASSWD
if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
com_err("ksu", errno, _("while switching to target uid"));
- return FALSE;
+ goto cleanup;
}
@@ -102,19 +100,19 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
&tgt) == FALSE) {
krb5_seteuid(0);
- return FALSE;
+ goto cleanup;
}
*path_passwd = 1;
if (krb5_seteuid(0)) {
com_err("ksu", errno, _("while reclaiming root uid"));
- return FALSE;
+ goto cleanup;
}
#else
plain_dump_principal (context, client);
fprintf(stderr,
_("does not have any appropriate tickets in the cache.\n"));
- return FALSE;
+ goto cleanup;
#endif /* GET_TGT_VIA_PASSWD */
@@ -126,10 +124,16 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
&vfy_opts);
if (retval) {
com_err(prog_name, retval, _("while verifying ticket for server"));
- return (FALSE);
+ goto cleanup;
}
- return (TRUE);
+ ok = TRUE;
+
+cleanup:
+ krb5_free_principal(context, client);
+ krb5_free_cred_contents(context, &tgt);
+ krb5_free_cred_contents(context, &tgtq);
+ return ok;
}
krb5_boolean
@@ -137,11 +141,12 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
krb5_get_init_creds_opt *options,
krb5_boolean *zero_password, krb5_creds *creds_out)
{
+ krb5_boolean ok = FALSE;
krb5_error_code code;
- krb5_creds creds;
+ krb5_creds creds = { 0 };
krb5_timestamp now;
unsigned int pwsize;
- char password[255], *client_name, prompt[255];
+ char password[255], prompt[255], *client_name = NULL;
int result;
*zero_password = FALSE;
@@ -150,14 +155,14 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
if ((code = krb5_unparse_name(context, client, &client_name))) {
com_err (prog_name, code, _("when unparsing name"));
- return (FALSE);
+ goto cleanup;
}
memset(&creds, 0, sizeof(creds));
if ((code = krb5_timeofday(context, &now))) {
com_err(prog_name, code, _("while getting time of day"));
- return (FALSE);
+ goto cleanup;
}
result = snprintf(prompt, sizeof(prompt), _("Kerberos password for %s: "),
@@ -166,7 +171,7 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
fprintf(stderr,
_("principal name %s too long for internal buffer space\n"),
client_name);
- return FALSE;
+ goto cleanup;
}
pwsize = sizeof(password);
@@ -175,13 +180,13 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
if (code ) {
com_err(prog_name, code, _("while reading password for '%s'\n"),
client_name);
- return (FALSE);
+ goto cleanup;
}
if ( pwsize == 0) {
fprintf(stderr, _("No password given\n"));
*zero_password = TRUE;
- return (FALSE);
+ goto cleanup;
}
code = krb5_get_init_creds_password(context, &creds, client, password,
@@ -195,13 +200,19 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
fprintf(stderr, _("%s: Password incorrect\n"), prog_name);
else
com_err(prog_name, code, _("while getting initial credentials"));
- return (FALSE);
+ goto cleanup;
}
- if (creds_out != NULL)
+ if (creds_out != NULL) {
*creds_out = creds;
- else
- krb5_free_cred_contents(context, &creds);
- return (TRUE);
+ memset(&creds, 0, sizeof(creds));
+ }
+
+ ok = TRUE;
+
+cleanup:
+ krb5_free_cred_contents(context, &creds);
+ free(client_name);
+ return ok;
}
void
@@ -213,8 +224,10 @@ dump_principal(krb5_context context, char *str, krb5_principal p)
if ((retval = krb5_unparse_name(context, p, &stname))) {
fprintf(stderr, _(" %s while unparsing name\n"),
error_message(retval));
+ return;
}
fprintf(stderr, " %s: %s\n", str, stname);
+ free(stname);
}
void
@@ -226,71 +239,8 @@ plain_dump_principal (krb5_context context, krb5_principal p)
if ((retval = krb5_unparse_name(context, p, &stname))) {
fprintf(stderr, _(" %s while unparsing name\n"),
error_message(retval));
+ return;
}
fprintf(stderr, "%s ", stname);
-}
-
-
-/**********************************************************************
-returns the principal that is closest to client. plist contains
-a principal list obtained from .k5login and parhaps .k5users file.
-This routine gets called before getting the password for a tgt.
-A principal is picked that has the best chance of getting in.
-
-**********************************************************************/
-
-krb5_error_code
-get_best_principal(krb5_context context, char **plist, krb5_principal *client)
-{
- krb5_error_code retval =0;
- krb5_principal temp_client, best_client = NULL;
-
- int i = 0, nelem;
-
- if (! plist ) return 0;
-
- nelem = krb5_princ_size(context, *client);
-
- while(plist[i]){
-
- if ((retval = krb5_parse_name(context, plist[i], &temp_client))){
- return retval;
- }
-
- if (data_eq(*krb5_princ_realm(context, *client),
- *krb5_princ_realm(context, temp_client))) {
-
- if (nelem &&
- krb5_princ_size(context, *client) > 0 &&
- krb5_princ_size(context, temp_client) > 0) {
- krb5_data *p1 =
- krb5_princ_component(context, *client, 0);
- krb5_data *p2 =
- krb5_princ_component(context, temp_client, 0);
-
- if (data_eq(*p1, *p2)) {
-
- if (auth_debug){
- fprintf(stderr,
- "get_best_principal: compare with %s\n",
- plist[i]);
- }
-
- if(best_client){
- if(krb5_princ_size(context, best_client) >
- krb5_princ_size(context, temp_client)){
- best_client = temp_client;
- }
- }else{
- best_client = temp_client;
- }
- }
- }
-
- }
- i++;
- }
-
- if (best_client) *client = best_client;
- return 0;
+ free(stname);
}
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index 66fb4bcc6..32ce11cb8 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -92,9 +92,6 @@ extern void plain_dump_principal
extern krb5_error_code krb5_parse_lifetime
(char *, long *);
-extern krb5_error_code get_best_principal
-(krb5_context, char **, krb5_principal *);
-
/* ccache.c */
extern krb5_error_code krb5_ccache_copy
(krb5_context, krb5_ccache, krb5_principal, krb5_ccache,
@@ -117,9 +114,6 @@ extern krb5_error_code krb5_check_exp
extern char *flags_string (krb5_creds *);
-extern krb5_error_code krb5_get_login_princ
-(const char *, char ***);
-
extern void show_credential
(krb5_context, krb5_creds *, krb5_ccache);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 80a9c07db..debad9486 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -918,7 +918,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
if (retval) {
com_err(prog_name, retval,
_("while generating part of the target ccache name"));
- return retval;
+ goto cleanup;
}
if (asprintf(&ccname, "%s.%s", target, sym) < 0) {
retval = ENOMEM;
@@ -930,6 +930,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
free(sym);
} while (ks_ccache_name_is_initialized(context, ccname));
retval = krb5_cc_resolve(context, ccname, &ccache);
+ free(ccname);
} else {
/* Look for a cache in the collection that we can reuse. */
retval = krb5_cc_cache_match(context, princ, &ccache);
diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c
index 26f340af3..976c8969e 100644
--- a/src/kadmin/cli/keytab.c
+++ b/src/kadmin/cli/keytab.c
@@ -363,7 +363,7 @@ remove_principal(char *keytab_str, krb5_keytab keytab,
{
krb5_principal princ = NULL;
krb5_keytab_entry entry;
- krb5_kt_cursor cursor;
+ krb5_kt_cursor cursor = NULL;
enum { UNDEF, SPEC, HIGH, ALL, OLD } mode;
int code, did_something;
krb5_kvno kvno;
@@ -443,6 +443,7 @@ remove_principal(char *keytab_str, krb5_keytab keytab,
_("while temporarily ending keytab scan"));
goto cleanup;
}
+ cursor = NULL;
code = krb5_kt_remove_entry(context, keytab, &entry);
if (code != 0) {
com_err(whoami, code, _("while deleting entry from keytab"));
@@ -471,6 +472,7 @@ remove_principal(char *keytab_str, krb5_keytab keytab,
com_err(whoami, code, _("while ending keytab scan"));
goto cleanup;
}
+ cursor = NULL;
/*
* If !did_someting then mode must be OLD or we would have
@@ -483,6 +485,8 @@ remove_principal(char *keytab_str, krb5_keytab keytab,
}
cleanup:
+ if (cursor != NULL)
+ (void)krb5_kt_end_seq_get(context, keytab, &cursor);
krb5_free_principal(context, princ);
}
diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c
index 87a69ca14..a1c17d154 100644
--- a/src/kadmin/ktutil/ktutil.c
+++ b/src/kadmin/ktutil/ktutil.c
@@ -254,6 +254,7 @@ ktutil_list(int argc, char *argv[])
buf, sizeof(buf)))) {
com_err(argv[0], retval,
_("While converting enctype to string"));
+ free(pname);
return;
}
printf(" (%s) ", buf);
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index 1b530fc2b..8da9c0ff7 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -1291,19 +1291,20 @@ static krb5_boolean
authorized_principal(krb5_context context, krb5_principal p,
krb5_enctype auth_etype)
{
- char *name, *ptr, buf[1024];
+ krb5_boolean ok = FALSE;
+ char *name = NULL, *ptr, buf[1024];
krb5_error_code retval;
- FILE *acl_file;
+ FILE *acl_file = NULL;
int end;
krb5_enctype acl_etype;
retval = krb5_unparse_name(context, p, &name);
if (retval)
- return FALSE;
+ goto cleanup;
acl_file = fopen(acl_file_name, "r");
if (acl_file == NULL)
- return FALSE;
+ goto cleanup;
while (!feof(acl_file)) {
if (!fgets(buf, sizeof(buf), acl_file))
@@ -1333,14 +1334,16 @@ authorized_principal(krb5_context context, krb5_principal p,
(acl_etype != auth_etype)))
continue;
- free(name);
- fclose(acl_file);
- return TRUE;
+ ok = TRUE;
+ goto cleanup;
}
}
+
+cleanup:
free(name);
- fclose(acl_file);
- return FALSE;
+ if (acl_file != NULL)
+ fclose(acl_file);
+ return ok;
}
static void
diff --git a/src/lib/gssapi/krb5/export_cred.c b/src/lib/gssapi/krb5/export_cred.c
index 96a408c23..bf5cede54 100644
--- a/src/lib/gssapi/krb5/export_cred.c
+++ b/src/lib/gssapi/krb5/export_cred.c
@@ -447,8 +447,10 @@ krb5_gss_export_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
/* Validate and lock cred_handle. */
status = krb5_gss_validate_cred_1(minor_status, cred_handle, context);
- if (status != GSS_S_COMPLETE)
+ if (status != GSS_S_COMPLETE) {
+ krb5_free_context(context);
return status;
+ }
cred = (krb5_gss_cred_id_t)cred_handle;
if (json_kgcred(context, cred, &jcred))
diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
index 83e763410..d4b070f8c 100644
--- a/src/lib/gssapi/krb5/val_cred.c
+++ b/src/lib/gssapi/krb5/val_cred.c
@@ -35,6 +35,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
krb5_gss_cred_id_t cred;
krb5_error_code code;
krb5_principal princ;
+ krb5_boolean same;
cred = (krb5_gss_cred_id_t) cred_handle;
k5_mutex_lock(&cred->lock);
@@ -45,12 +46,13 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
*minor_status = code;
return(GSS_S_DEFECTIVE_CREDENTIAL);
}
- if (!krb5_principal_compare(context, princ, cred->name->princ)) {
+ same = krb5_principal_compare(context, princ, cred->name->princ);
+ (void)krb5_free_principal(context, princ);
+ if (!same) {
k5_mutex_unlock(&cred->lock);
*minor_status = KG_CCACHE_NOMATCH;
return(GSS_S_DEFECTIVE_CREDENTIAL);
}
- (void)krb5_free_principal(context, princ);
}
*minor_status = 0;
return GSS_S_COMPLETE;
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index 2ec80a0f2..4efcaf994 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -67,11 +67,10 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
if (ret)
goto done;
- if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ,
- &master_keyblock))) {
+ ret = krb5_db_fetch_mkey_list(handle->context, master_princ,
+ &master_keyblock);
+ if (ret)
krb5_db_fini(handle->context);
- return (ret);
- }
done:
if (r == NULL)
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
index c93e7c78e..1f917d49b 100644
--- a/src/lib/krb5/ccache/cc_kcm.c
+++ b/src/lib/krb5/ccache/cc_kcm.c
@@ -992,10 +992,14 @@ kcm_start_seq_get(krb5_context context, krb5_ccache cache,
if (cursor == NULL)
goto cleanup;
cursor->uuids = uuids;
+ uuids = NULL;
cursor->creds = creds;
+ creds = NULL;
*cursor_out = (krb5_cc_cursor)cursor;
cleanup:
+ free_cred_list(creds);
+ free_uuid_list(uuids);
kcmreq_free(&req);
return ret;
}
diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c
index e0eb39a61..9b755f0e3 100644
--- a/src/lib/krb5/ccache/ccfns.c
+++ b/src/lib/krb5/ccache/ccfns.c
@@ -198,18 +198,18 @@ k5_build_conf_principals(krb5_context context, krb5_ccache id,
if (principal) {
ret = krb5_unparse_name(context, principal, &pname);
if (ret)
- return ret;
+ goto cleanup;
}
ret = krb5_build_principal(context, &cred->server,
sizeof(conf_realm) - 1, conf_realm,
conf_name, name, pname, (char *)NULL);
- krb5_free_unparsed_name(context, pname);
- if (ret) {
- krb5_free_principal(context, client);
- return ret;
- }
+ if (ret)
+ goto cleanup;
ret = krb5_copy_principal(context, client, &cred->client);
+
+cleanup:
+ krb5_free_unparsed_name(context, pname);
krb5_free_principal(context, client);
return ret;
}
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index e510211fc..993f902c7 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -456,15 +456,16 @@ krb5_ktfile_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *
return ENOMEM;
}
*fileoff = KTSTARTOFF(id);
- *cursorp = (krb5_kt_cursor)fileoff;
KTITERS(id)++;
if (KTITERS(id) == 0) {
/* Wrapped?! */
KTITERS(id)--;
KTUNLOCK(id);
+ free(fileoff);
k5_setmsg(context, KRB5_KT_IOERR, "Too many keytab iterators active");
return KRB5_KT_IOERR; /* XXX */
}
+ *cursorp = (krb5_kt_cursor)fileoff;
KTUNLOCK(id);
return 0;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
index 753929b06..f7fad2786 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
@@ -271,16 +271,18 @@ krb5_ldap_delete_realm (krb5_context context, char *lrealm)
for (ent = ldap_first_entry (ld, result); ent != NULL;
ent = ldap_next_entry (ld, ent)) {
if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) {
- for (i = 0; values[i] != NULL; ++i) {
+ for (i = 0; values[i] != NULL && !st; ++i) {
krb5_parse_name(context, values[i], &principal);
if (principal_in_realm_2(principal, lrealm) == 0) {
st=krb5_ldap_delete_principal(context, principal);
- if (st && st != KRB5_KDB_NOENTRY)
- goto cleanup;
+ if (st == KRB5_KDB_NOENTRY)
+ st = 0;
}
krb5_free_principal(context, principal);
}
ldap_value_free(values);
+ if (st)
+ goto cleanup;
}
}
}
More information about the cvs-krb5
mailing list