From: Tom Yu Date: Mon, 11 May 2009 20:55:45 +0000 (+0000) Subject: pull up r22283, r22288 from trunk. r22283 was not originally part of X-Git-Tag: krb5-1.7-beta2~13 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=0b483013ade5770ebd298a4c7eec0f0ef104fbc3;p=krb5.git pull up r22283, r22288 from trunk. r22283 was not originally part of this ticket but is a prereq for the mk_cred.c change. ------------------------------------------------------------------------ r22288 | ghudson | 2009-04-28 14:00:13 -0400 (Tue, 28 Apr 2009) | 14 lines Changed paths: M /trunk/src/lib/krb5/krb/mk_cred.c M /trunk/src/lib/krb5/krb/mk_priv.c M /trunk/src/lib/krb5/krb/mk_safe.c ticket: 6478 subject: Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred Regularize the handling of KRB5_AUTH_CONTEXT_RET_SEQUENCE in krb5_mk_safe, krb5_mk_priv, and krb5_mk_ncred, using krb5_mk_safe as a baseline. RET_SEQUENCE now implies DO_SEQUENCE for all three functions, the sequence number is always incremented if it is used, and outdata->seq is always set if RET_SEQUENCE is passed. Note that in the corresponding rd_ functions, RET_SEQUENCE and DO_SEQUENCE are independent flags, which is not consistent with the above. This compromise is intended to preserve compatibility with any working code which might exist using the RET_SEQUENCE flag. ------------------------------------------------------------------------ r22283 | ghudson | 2009-04-27 19:48:22 -0400 (Mon, 27 Apr 2009) | 5 lines Changed paths: M /trunk/src/lib/krb5/krb/mk_cred.c Fix a few memory leaks in krb5_mk_ncred. Also tighten up the error handling of the sequence number, only decreasing it if it was increased. The handling of DO_SEQUENCE and RET_SEQUENCE may still be flawed in some cases. ticket: 6478 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22331 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 561886825..f17a14858 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -162,14 +162,14 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_replay_data replaydata; krb5_cred * pcred; krb5_int32 ncred; + krb5_boolean increased_sequence = FALSE; local_fulladdr.contents = 0; remote_fulladdr.contents = 0; memset(&replaydata, 0, sizeof(krb5_replay_data)); - if (ppcreds == NULL) { + if (ppcreds == NULL) return KRB5KRB_AP_ERR_BADADDR; - } /* * Allocate memory for a NULL terminated list of tickets. @@ -183,8 +183,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, if ((pcred->tickets = (krb5_ticket **)calloc((size_t)ncred+1, sizeof(krb5_ticket *))) == NULL) { - free(pcred); - return ENOMEM; + retval = ENOMEM; + goto error; } /* Get keyblock */ @@ -193,30 +193,32 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) { + retval = KRB5_RC_REQUIRED; + goto error; + } if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + && (outdata == NULL)) { /* Need a better error */ - return KRB5_RC_REQUIRED; + retval = KRB5_RC_REQUIRED; + goto error; + } if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, &replaydata.usec))) - return retval; + goto error; if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { outdata->timestamp = replaydata.timestamp; outdata->usec = replaydata.usec; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - auth_context->local_seq_number++; - } else { + replaydata.seq = auth_context->local_seq_number++; + increased_sequence = TRUE; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; - } } if (auth_context->local_addr) { @@ -273,15 +275,12 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, retval = encode_krb5_cred(pcred, ppdata); error: - if (local_fulladdr.contents) - free(local_fulladdr.contents); - if (remote_fulladdr.contents) - free(remote_fulladdr.contents); + free(local_fulladdr.contents); + free(remote_fulladdr.contents); krb5_free_cred(context, pcred); if (retval) { - if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) - || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + if (increased_sequence) auth_context->local_seq_number--; } return retval; diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 5ac830695..727262cbe 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -151,12 +151,9 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - auth_context->local_seq_number++; - } else { + replaydata.seq = auth_context->local_seq_number++; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; - } } { diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index 9dac93245..0afa61e85 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -152,9 +152,8 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { replaydata.seq = auth_context->local_seq_number++; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) { + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; - } } {