[PATCH 3/4] Use gssalloc_malloc()/gssalloc_free() with gss_buffer_t.
Sam Hartman
hartmans at painless-security.com
Thu Oct 6 13:25:32 EDT 2011
From: Kevin Wasserman <kevin.wasserman at painless-security.com>
gss_buffer_t may be freed in a different module from where they
are allocated so it is not safe to use malloc/free.
Signed-off-by: Kevin Wasserman <kevin.wasserman at painless-security.com>
---
src/appl/gss-sample/gss-server.c | 37 +++++++++++++++++-------------
src/lib/gssapi/generic/oid_ops.c | 3 +-
src/lib/gssapi/generic/rel_buffer.c | 2 +-
src/lib/gssapi/generic/util_buffer.c | 2 +-
src/lib/gssapi/krb5/accept_sec_context.c | 2 +-
src/lib/gssapi/krb5/init_sec_context.c | 7 +----
src/lib/gssapi/krb5/k5seal.c | 22 +++++++++---------
src/lib/gssapi/krb5/k5sealv3.c | 14 +++++-----
src/lib/gssapi/krb5/k5unseal.c | 22 +++++++++---------
src/lib/gssapi/krb5/util_crypt.c | 4 +-
src/lib/gssapi/mechglue/g_dsp_status.c | 4 +-
src/lib/gssapi/mechglue/g_glue.c | 2 +-
src/lib/gssapi/mechglue/g_rel_buffer.c | 2 +-
src/lib/gssapi/mechglue/g_rel_name.c | 2 +-
src/lib/gssapi/mechglue/g_wrap_aead.c | 2 +-
15 files changed, 64 insertions(+), 63 deletions(-)
diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c
index d914933..d683d73 100644
--- a/src/appl/gss-sample/gss-server.c
+++ b/src/appl/gss-sample/gss-server.c
@@ -415,13 +415,14 @@ test_import_export_context(gss_ctx_id_t *context)
static int
sign_server(int s, gss_cred_id_t server_creds, int export)
{
- gss_buffer_desc client_name, xmit_buf, msg_buf;
+ gss_buffer_desc client_name, xmit_buf, msg_buf, *send_buf;
gss_ctx_id_t context;
OM_uint32 maj_stat, min_stat;
int i, conf_state;
OM_uint32 ret_flags;
char *cp;
int token_flags;
+ int send_flags;
/* Establish a context with the client */
if (server_establish_context(s, server_creds, &context,
@@ -495,6 +496,7 @@ sign_server(int s, gss_cred_id_t server_creds, int export)
}
} else {
msg_buf = xmit_buf;
+ xmit_buf.value = 0;
}
if (logfile) {
@@ -518,27 +520,30 @@ sign_server(int s, gss_cred_id_t server_creds, int export)
display_status("signing message", maj_stat, min_stat);
return (-1);
}
+ send_flags = TOKEN_MIC;
+ send_buf = &xmit_buf;
+ }
+ else {
+ send_flags = TOKEN_NOOP;
+ send_buf = empty_token;
+ }
- if (msg_buf.value) {
+ if (msg_buf.value) {
+ if (token_flags & TOKEN_WRAPPED) {
+ gss_release_buffer(&min_stat, &msg_buf);
+ }
+ else {
free(msg_buf.value);
msg_buf.value = 0;
}
+ }
- /* Send the signature block to the client */
- if (send_token(s, TOKEN_MIC, &xmit_buf) < 0)
- return (-1);
+ /* Send the signature block or NOOP to the client */
+ if (send_token(s, send_flags, send_buf) < 0)
+ return (-1);
- if (xmit_buf.value) {
- free(xmit_buf.value);
- xmit_buf.value = 0;
- }
- } else {
- if (msg_buf.value) {
- free(msg_buf.value);
- msg_buf.value = 0;
- }
- if (send_token(s, TOKEN_NOOP, empty_token) < 0)
- return (-1);
+ if (xmit_buf.value) {
+ gss_release_buffer(&min_stat, &xmit_buf);
}
} while (1 /* loop will break if NOOP received */ );
diff --git a/src/lib/gssapi/generic/oid_ops.c b/src/lib/gssapi/generic/oid_ops.c
index c423542..969a872 100644
--- a/src/lib/gssapi/generic/oid_ops.c
+++ b/src/lib/gssapi/generic/oid_ops.c
@@ -270,8 +270,7 @@ generic_gss_oid_to_str(OM_uint32 *minor_status,
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
}
- oid_str->length = krb5int_buf_len(&buf)+1;
- oid_str->value = (void *) bp;
+ gssint_transfer_k5buf_to_gss_buffer(&buf, oid_str);
return(GSS_S_COMPLETE);
}
diff --git a/src/lib/gssapi/generic/rel_buffer.c b/src/lib/gssapi/generic/rel_buffer.c
index fb67123..44dc981 100644
--- a/src/lib/gssapi/generic/rel_buffer.c
+++ b/src/lib/gssapi/generic/rel_buffer.c
@@ -48,7 +48,7 @@ generic_gss_release_buffer(
return(GSS_S_COMPLETE);
if (buffer->value) {
- free(buffer->value);
+ gssalloc_free(buffer->value);
buffer->length = 0;
buffer->value = NULL;
}
diff --git a/src/lib/gssapi/generic/util_buffer.c b/src/lib/gssapi/generic/util_buffer.c
index 81d86fc..da2d832 100644
--- a/src/lib/gssapi/generic/util_buffer.c
+++ b/src/lib/gssapi/generic/util_buffer.c
@@ -39,7 +39,7 @@ int g_make_string_buffer(const char *str, gss_buffer_t buffer)
buffer->length = strlen(str);
- if ((buffer->value = strdup(str)) == NULL) {
+ if ((buffer->value = gssalloc_strdup(str)) == NULL) {
buffer->length = 0;
return(0);
}
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 40dfa8b..64d0b3a 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -1128,7 +1128,7 @@ kg_accept_krb5(minor_status, context_handle,
token.length = g_token_size(mech_used, ap_rep.length);
- if ((token.value = (unsigned char *) xmalloc(token.length))
+ if ((token.value = (unsigned char *) gssalloc_malloc(token.length))
== NULL) {
major_status = GSS_S_FAILURE;
code = ENOMEM;
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index d62822e..7d9f494 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -474,15 +474,12 @@ make_ap_req_v1(context, ctx, cred, k_cred, ad_context,
* For DCE RPC, do not encapsulate the AP-REQ in the
* typical GSS wrapping.
*/
- token->length = ap_req.length;
- token->value = ap_req.data;
-
- ap_req.data = NULL; /* don't double free */
+ gss_krb5int_transfer_krb5_data_to_gss_buffer(&ap_req, token);
} else {
/* allocate space for the token */
tlen = g_token_size((gss_OID) mech_type, ap_req.length);
- if ((t = (unsigned char *) xmalloc(tlen)) == NULL) {
+ if ((t = (unsigned char *) gssalloc_malloc(tlen)) == NULL) {
code = ENOMEM;
goto cleanup;
}
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
index ad2a3cf..41604dc 100644
--- a/src/lib/gssapi/krb5/k5seal.c
+++ b/src/lib/gssapi/krb5/k5seal.c
@@ -112,7 +112,7 @@ make_seal_token_v1 (krb5_context context,
}
tlen = g_token_size((gss_OID) oid, 14+cksum_size+tmsglen);
- if ((t = (unsigned char *) xmalloc(tlen)) == NULL)
+ if ((t = (unsigned char *) gssalloc_malloc(tlen)) == NULL)
return(ENOMEM);
/*** fill in the token */
@@ -159,14 +159,14 @@ make_seal_token_v1 (krb5_context context,
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code) {
- xfree(t);
+ gssalloc_free(t);
return(code);
}
md5cksum.length = sumlen;
if ((plain = (unsigned char *) xmalloc(msglen ? msglen : 1)) == NULL) {
- xfree(t);
+ gssalloc_free(t);
return(ENOMEM);
}
@@ -174,7 +174,7 @@ make_seal_token_v1 (krb5_context context,
if ((code = kg_make_confounder(context, enc->keyblock.enctype,
plain))) {
xfree(plain);
- xfree(t);
+ gssalloc_free(t);
return(code);
}
}
@@ -188,7 +188,7 @@ make_seal_token_v1 (krb5_context context,
if (! (data_ptr =
(char *) xmalloc(8 + (bigend ? text->length : msglen)))) {
xfree(plain);
- xfree(t);
+ gssalloc_free(t);
return(ENOMEM);
}
(void) memcpy(data_ptr, ptr-2, 8);
@@ -204,7 +204,7 @@ make_seal_token_v1 (krb5_context context,
if (code) {
xfree(plain);
- xfree(t);
+ gssalloc_free(t);
return(code);
}
switch(signalg) {
@@ -218,7 +218,7 @@ make_seal_token_v1 (krb5_context context,
if (code) {
krb5_free_checksum_contents(context, &md5cksum);
xfree (plain);
- xfree(t);
+ gssalloc_free(t);
return code;
}
@@ -249,7 +249,7 @@ make_seal_token_v1 (krb5_context context,
if ((code = kg_make_seq_num(context, seq, direction?0:0xff,
(krb5_ui_4)*seqnum, ptr+14, ptr+6))) {
xfree (plain);
- xfree(t);
+ gssalloc_free(t);
return(code);
}
@@ -265,7 +265,7 @@ make_seal_token_v1 (krb5_context context,
if (code)
{
xfree(plain);
- xfree(t);
+ gssalloc_free(t);
return(code);
}
assert (enc_key->length == 16);
@@ -279,7 +279,7 @@ make_seal_token_v1 (krb5_context context,
if (code)
{
xfree(plain);
- xfree(t);
+ gssalloc_free(t);
return(code);
}
}
@@ -290,7 +290,7 @@ make_seal_token_v1 (krb5_context context,
(krb5_pointer) (ptr+cksum_size+14),
tmsglen))) {
xfree(plain);
- xfree(t);
+ gssalloc_free(t);
return(code);
}
}
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index f050f6d..ac3d44d 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -136,7 +136,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
/* Get size of ciphertext. */
bufsize = 16 + krb5_encrypt_size (plain.length, key->keyblock.enctype);
/* Allocate space for header plus encrypted data. */
- outbuf = malloc(bufsize);
+ outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
free(plain.data);
return ENOMEM;
@@ -204,7 +204,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
assert(cksumsize <= 0xffff);
bufsize = 16 + message2->length + cksumsize;
- outbuf = malloc(bufsize);
+ outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
free(plain.data);
plain.data = 0;
@@ -290,7 +290,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
return 0;
error:
- free(outbuf);
+ gssalloc_free(outbuf);
token->value = NULL;
token->length = 0;
return err;
@@ -401,13 +401,13 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
cipher.ciphertext.length = bodysize - 16;
cipher.ciphertext.data = (char *)ptr + 16;
plain.length = bodysize - 16;
- plain.data = malloc(plain.length);
+ plain.data = gssalloc_malloc(plain.length);
if (plain.data == NULL)
goto no_mem;
err = krb5_k_decrypt(context, key, key_usage, 0,
&cipher, &plain);
if (err) {
- free(plain.data);
+ gssalloc_free(plain.data);
goto error;
}
/* Don't use bodysize here! Use the fact that
@@ -424,7 +424,7 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
message_buffer->value = plain.data;
message_buffer->length = plain.length - ec - 16;
if(message_buffer->length == 0) {
- free(message_buffer->value);
+ gssalloc_free(message_buffer->value);
message_buffer->value = NULL;
}
} else {
@@ -467,7 +467,7 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
return GSS_S_BAD_SIG;
}
message_buffer->length = plain.length - 16;
- message_buffer->value = malloc(message_buffer->length);
+ message_buffer->value = gssalloc_malloc(message_buffer->length);
if (message_buffer->value == NULL)
goto no_mem;
memcpy(message_buffer->value, plain.data, message_buffer->length);
diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index f864cc5..9351980 100644
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -214,7 +214,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
}
if (token.length) {
- if ((token.value = (void *) xmalloc(token.length)) == NULL) {
+ if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) {
if (sealalg != 0xffff)
xfree(plain);
*minor_status = ENOMEM;
@@ -272,7 +272,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
if (sealalg != 0xffff)
xfree(plain);
if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
+ gssalloc_free(token.value);
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
}
@@ -293,7 +293,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
if (code) {
if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
+ gssalloc_free(token.value);
*minor_status = code;
return(GSS_S_FAILURE);
}
@@ -306,7 +306,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
if (code) {
krb5_free_checksum_contents(context, &md5cksum);
if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
+ gssalloc_free(token.value);
*minor_status = code;
return GSS_S_FAILURE;
}
@@ -327,7 +327,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
if (sealalg != 0xffff)
xfree(plain);
if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
+ gssalloc_free(token.value);
*minor_status = code;
return GSS_S_FAILURE;
}
@@ -339,7 +339,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
if (sealalg == 0)
xfree(plain);
if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
+ gssalloc_free(token.value);
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
}
@@ -364,7 +364,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
if (sealalg == 0)
xfree(plain);
if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
+ gssalloc_free(token.value);
*minor_status = code;
return(GSS_S_FAILURE);
}
@@ -387,7 +387,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
if (sealalg != 0xffff)
xfree(plain);
if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
+ gssalloc_free(token.value);
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
}
@@ -408,7 +408,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
if (code) {
if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
+ gssalloc_free(token.value);
*minor_status = code;
return(GSS_S_FAILURE);
}
@@ -425,7 +425,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
if (code) {
if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
+ gssalloc_free(token.value);
*minor_status = 0;
return(GSS_S_BAD_SIG);
}
@@ -447,7 +447,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
if (toktype == KG_TOK_SEAL_MSG) {
- xfree(token.value);
+ gssalloc_free(token.value);
message_buffer->value = NULL;
message_buffer->length = 0;
}
diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c
index 0063817..b7b4a0a 100644
--- a/src/lib/gssapi/krb5/util_crypt.c
+++ b/src/lib/gssapi/krb5/util_crypt.c
@@ -661,7 +661,7 @@ kg_release_iov(gss_iov_buffer_desc *iov, int iov_count)
for (i = 0; i < iov_count; i++) {
if (iov[i].type & GSS_IOV_BUFFER_FLAG_ALLOCATED) {
- free(iov[i].buffer.value);
+ gssalloc_free(iov[i].buffer.value);
iov[i].buffer.length = 0;
iov[i].buffer.value = NULL;
iov[i].type &= ~(GSS_IOV_BUFFER_FLAG_ALLOCATED);
@@ -761,7 +761,7 @@ kg_allocate_iov(gss_iov_buffer_t iov, size_t size)
assert(iov->type & GSS_IOV_BUFFER_FLAG_ALLOCATE);
iov->buffer.length = size;
- iov->buffer.value = xmalloc(size);
+ iov->buffer.value = gssalloc_malloc(size);
if (iov->buffer.value == NULL) {
iov->buffer.length = 0;
return ENOMEM;
diff --git a/src/lib/gssapi/mechglue/g_dsp_status.c b/src/lib/gssapi/mechglue/g_dsp_status.c
index 13f104b..0df34be 100644
--- a/src/lib/gssapi/mechglue/g_dsp_status.c
+++ b/src/lib/gssapi/mechglue/g_dsp_status.c
@@ -84,7 +84,7 @@ gss_buffer_t status_string;
mapped to a flat numbering space. Look up the value we got
passed. If it's not found, complain. */
if (status_value == 0) {
- status_string->value = strdup("Unknown error");
+ status_string->value = gssalloc_strdup("Unknown error");
if (status_string->value == NULL) {
*minor_status = ENOMEM;
map_errcode(minor_status);
@@ -353,7 +353,7 @@ gss_buffer_t outStr;
/* now copy the status code and return to caller */
outStr->length = strlen(errStr);
- outStr->value = strdup(errStr);
+ outStr->value = gssalloc_strdup(errStr);
if (outStr->value == NULL) {
outStr->length = 0;
return (GSS_S_FAILURE);
diff --git a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c
index 90febd5..2048523 100644
--- a/src/lib/gssapi/mechglue/g_glue.c
+++ b/src/lib/gssapi/mechglue/g_glue.c
@@ -724,7 +724,7 @@ gssint_create_copy_buffer(srcBuf, destBuf, addNullChar)
else
len = srcBuf->length;
- if (!(aBuf->value = (void*)malloc(len))) {
+ if (!(aBuf->value = (void*)gssalloc_malloc(len))) {
free(aBuf);
return (GSS_S_FAILURE);
}
diff --git a/src/lib/gssapi/mechglue/g_rel_buffer.c b/src/lib/gssapi/mechglue/g_rel_buffer.c
index c1104fd..8c3328a 100644
--- a/src/lib/gssapi/mechglue/g_rel_buffer.c
+++ b/src/lib/gssapi/mechglue/g_rel_buffer.c
@@ -49,7 +49,7 @@ gss_buffer_t buffer;
if ((buffer->length) &&
(buffer->value)) {
- free(buffer->value);
+ gssalloc_free(buffer->value);
buffer->length = 0;
buffer->value = NULL;
}
diff --git a/src/lib/gssapi/mechglue/g_rel_name.c b/src/lib/gssapi/mechglue/g_rel_name.c
index e8ac6c3..e008692 100644
--- a/src/lib/gssapi/mechglue/g_rel_name.c
+++ b/src/lib/gssapi/mechglue/g_rel_name.c
@@ -70,7 +70,7 @@ gss_name_t * input_name;
if (union_name->external_name != GSS_C_NO_BUFFER) {
if (union_name->external_name->value != NULL)
- free(union_name->external_name->value);
+ gssalloc_free(union_name->external_name->value);
free(union_name->external_name);
}
diff --git a/src/lib/gssapi/mechglue/g_wrap_aead.c b/src/lib/gssapi/mechglue/g_wrap_aead.c
index 7c059b4..ca1ef12 100644
--- a/src/lib/gssapi/mechglue/g_wrap_aead.c
+++ b/src/lib/gssapi/mechglue/g_wrap_aead.c
@@ -125,7 +125,7 @@ gssint_wrap_aead_iov_shim(gss_mechanism mech,
output_message_buffer->length += iov[i].buffer.length;
}
- output_message_buffer->value = malloc(output_message_buffer->length);
+ output_message_buffer->value = gssalloc_malloc(output_message_buffer->length);
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
--
1.7.6.3
More information about the krbdev
mailing list