From 4c7b4f6ece4284d015b920171442e2f29617073a Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Fri, 18 Feb 2000 00:14:12 +0000 Subject: [PATCH] * svc_auth_gssapi.c (_svcauth_gssapi): Don't explicitly free call_arg on error, since svc_getargs should do that now. * svc_udp.c (svcudp_getargs): Free args on xdr decode error to avoid leaks. * svc_tcp.c (svctcp_getargs): Free args on xdr decode error to avoid leaks. * svc_raw.c (svcraw_getargs): Free args on xdr decode error to avoid leaks. * auth_gssapi.c (auth_gssapi_create): Don't explicitly free call_res anymore, since clnt_call should deal now. * clnt_udp.c (clntudp_call): Free stuff on error from xdr_replymsg() to prevent leaking. * clnt_tcp.c (clnttcp_call): Free stuff on error from xdr_replymsg() to avoid leaking. * clnt_raw.c (clntraw_call): Free stuff on error from xdr_replymsg() to avoid leaking. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12052 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/rpc/ChangeLog | 26 ++++++++++++++++++++++++++ src/lib/rpc/auth_gssapi.c | 1 - src/lib/rpc/clnt_raw.c | 17 ++++++++++++++++- src/lib/rpc/clnt_tcp.c | 9 +++++++++ src/lib/rpc/clnt_udp.c | 15 +++++++++++++++ src/lib/rpc/svc_auth_gssapi.c | 1 - src/lib/rpc/svc_raw.c | 6 +++++- src/lib/rpc/svc_tcp.c | 10 +++++++--- src/lib/rpc/svc_udp.c | 8 ++++++-- 9 files changed, 84 insertions(+), 9 deletions(-) diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index 444225c2a..27150b24f 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,29 @@ +2000-02-17 Tom Yu + + * svc_auth_gssapi.c (_svcauth_gssapi): Don't explicitly free + call_arg on error, since svc_getargs should do that now. + + * svc_udp.c (svcudp_getargs): Free args on xdr decode error to + avoid leaks. + + * svc_tcp.c (svctcp_getargs): Free args on xdr decode error to + avoid leaks. + + * svc_raw.c (svcraw_getargs): Free args on xdr decode error to + avoid leaks. + + * auth_gssapi.c (auth_gssapi_create): Don't explicitly free + call_res anymore, since clnt_call should deal now. + + * clnt_udp.c (clntudp_call): Free stuff on error from + xdr_replymsg() to prevent leaking. + + * clnt_tcp.c (clnttcp_call): Free stuff on error from + xdr_replymsg() to avoid leaking. + + * clnt_raw.c (clntraw_call): Free stuff on error from + xdr_replymsg() to avoid leaking. + 2000-02-16 Tom Yu * auth_gssapi.c (auth_gssapi_create): Free call_res because diff --git a/src/lib/rpc/auth_gssapi.c b/src/lib/rpc/auth_gssapi.c index a81c2faf6..49d8846ee 100644 --- a/src/lib/rpc/auth_gssapi.c +++ b/src/lib/rpc/auth_gssapi.c @@ -293,7 +293,6 @@ next_token: if (callstat != RPC_SUCCESS) { struct rpc_err err; - xdr_free(xdr_authgssapi_init_res, &call_res); clnt_geterr(clnt, &err); if (callstat == RPC_AUTHERROR && (err.re_why == AUTH_BADCRED || err.re_why == AUTH_FAILED) diff --git a/src/lib/rpc/clnt_raw.c b/src/lib/rpc/clnt_raw.c index ec5fa6f90..44fbf5da2 100644 --- a/src/lib/rpc/clnt_raw.c +++ b/src/lib/rpc/clnt_raw.c @@ -169,8 +169,23 @@ call_again: msg.acpted_rply.ar_verf = _null_auth; msg.acpted_rply.ar_results.where = resultsp; msg.acpted_rply.ar_results.proc = xresults; - if (! xdr_replymsg(xdrs, &msg)) + if (! xdr_replymsg(xdrs, &msg)) { + /* + * It's possible for xdr_replymsg() to fail partway + * through its attempt to decode the result from the + * server. If this happens, it will leave the reply + * structure partially populated with dynamically + * allocated memory. (This can happen if someone uses + * clntudp_bufcreate() to create a CLIENT handle and + * specifies a receive buffer size that is too small.) + * This memory must be free()ed to avoid a leak. + */ + int op = xdrs->x_op; + xdrs->x_op = XDR_FREE; + xdr_replymsg(xdrs, &msg); + xdrs->x_op = op; return (RPC_CANTDECODERES); + } sunrpc_seterr_reply(&msg, &error); status = error.re_status; diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c index 6f36553b9..4e10a489f 100644 --- a/src/lib/rpc/clnt_tcp.c +++ b/src/lib/rpc/clnt_tcp.c @@ -283,6 +283,15 @@ call_again: return (ct->ct_error.re_status); /* now decode and validate the response header */ if (! xdr_replymsg(xdrs, &reply_msg)) { + /* + * Free some stuff allocated by xdr_replymsg() + * to avoid leaks, since it may allocate + * memory from partially successful decodes. + */ + int op = xdrs->x_op; + xdrs->x_op = XDR_FREE; + xdr_replymsg(xdrs, &reply_msg); + xdrs->x_op = op; if (ct->ct_error.re_status == RPC_SUCCESS) continue; return (ct->ct_error.re_status); diff --git a/src/lib/rpc/clnt_udp.c b/src/lib/rpc/clnt_udp.c index 7ef61c975..60469429d 100644 --- a/src/lib/rpc/clnt_udp.c +++ b/src/lib/rpc/clnt_udp.c @@ -379,6 +379,21 @@ send_again: } } /* end of valid reply message */ else { + /* + * It's possible for xdr_replymsg() to fail partway + * through its attempt to decode the result from the + * server. If this happens, it will leave the reply + * structure partially populated with dynamically + * allocated memory. (This can happen if someone uses + * clntudp_bufcreate() to create a CLIENT handle and + * specifies a receive buffer size that is too small.) + * This memory must be free()ed to avoid a leak. + */ + int op = reply_xdrs.x_op; + reply_xdrs.x_op = XDR_FREE; + xdr_replymsg(&reply_xdrs, &reply_msg); + reply_xdrs.x_op = op; + return (RPC_CANTDECODERES); cu->cu_error.re_status = RPC_CANTDECODERES; } return (cu->cu_error.re_status); diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c index b1c275a4e..827596a3b 100644 --- a/src/lib/rpc/svc_auth_gssapi.c +++ b/src/lib/rpc/svc_auth_gssapi.c @@ -271,7 +271,6 @@ enum auth_stat _svcauth_gssapi(rqst, msg, no_dispatch) &call_arg)) { PRINTF(("svcauth_gssapi: cannot decode args\n")); LOG_MISCERR("protocol error in procedure arguments"); - xdr_free(xdr_authgssapi_init_arg, &call_arg); ret = AUTH_BADCRED; goto error; } diff --git a/src/lib/rpc/svc_raw.c b/src/lib/rpc/svc_raw.c index e5d966783..23ff8898a 100644 --- a/src/lib/rpc/svc_raw.c +++ b/src/lib/rpc/svc_raw.c @@ -141,7 +141,11 @@ svcraw_getargs(xprt, xdr_args, args_ptr) if (srp == 0) return (FALSE); - return ((*xdr_args)(&srp->xdr_stream, args_ptr)); + if (! (*xdr_args)(&srp->xdr_stream, args_ptr)) { + (void)svcraw_freeargs(xprt, xdr_args, args_ptr); + return FALSE; + } + return TRUE; } static bool_t diff --git a/src/lib/rpc/svc_tcp.c b/src/lib/rpc/svc_tcp.c index 60872c54b..cece276cd 100644 --- a/src/lib/rpc/svc_tcp.c +++ b/src/lib/rpc/svc_tcp.c @@ -398,9 +398,13 @@ svctcp_getargs(xprt, xdr_args, args_ptr) xdrproc_t xdr_args; caddr_t args_ptr; { - return (SVCAUTH_UNWRAP(xprt->xp_auth, - &(((struct tcp_conn *)(xprt->xp_p1))->xdrs), - xdr_args, args_ptr)); + if (! SVCAUTH_UNWRAP(xprt->xp_auth, + &(((struct tcp_conn *)(xprt->xp_p1))->xdrs), + xdr_args, args_ptr)) { + (void)svctcp_freeargs(xprt, xdr_args, args_ptr); + return FALSE; + } + return TRUE; } static bool_t diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c index 454f99fc5..c17b4acbb 100644 --- a/src/lib/rpc/svc_udp.c +++ b/src/lib/rpc/svc_udp.c @@ -272,8 +272,12 @@ svcudp_getargs(xprt, xdr_args, args_ptr) xdrproc_t xdr_args; caddr_t args_ptr; { - return (SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs), - xdr_args, args_ptr)); + if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs), + xdr_args, args_ptr)) { + (void)svcudp_freeargs(xprt, xdr_args, args_ptr); + return FALSE; + } + return TRUE; } static bool_t -- 2.26.2