oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

bx509d: Do not leak temp ccaches

Browse Source
This commit is contained in:
Nicolas Williams
2022-02-14 21:07:35 -06:00
parent 61607fa6ea
commit 2c8a078bcf
1 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
kdc/bx509d.c
View File

@@ -126,6 +126,8 @@ typedef int heim_mhd_result;
typedef enum MHD_Result heim_mhd_result; typedef enum MHD_Result heim_mhd_result;
#endif #endif
enum k5_creds_kind { K5_CREDS_EPHEMERAL, K5_CREDS_CACHED };
typedef struct bx509_request_desc { typedef struct bx509_request_desc {
HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS; HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS;
@@ -136,6 +138,7 @@ typedef struct bx509_request_desc {
const char *for_cname; const char *for_cname;
const char *target; const char *target;
const char *redir; const char *redir;
enum k5_creds_kind cckind;
char *pkix_store; char *pkix_store;
char *ccname; char *ccname;
char *freeme1; char *freeme1;
@@ -954,6 +957,13 @@ clean_req_desc(struct bx509_request_desc *r)
hx509_request_free(&r->req); hx509_request_free(&r->req);
heim_release(r->reason); heim_release(r->reason);
heim_release(r->kv); heim_release(r->kv);
if (r->ccname && r->cckind == K5_CREDS_EPHEMERAL) {
const char *fn = r->ccname;
if (strncmp(fn, "FILE:", sizeof("FILE:") - 1) == 0)
fn += sizeof("FILE:") - 1;
(void) unlink(fn);
}
free(r->pkix_store); free(r->pkix_store);
free(r->freeme1); free(r->freeme1);
free(r->ccname); free(r->ccname);
@@ -997,6 +1007,8 @@ bx509(struct bx509_request_desc *r)
* '~' and '.' also get encoded, and '@' does not. * '~' and '.' also get encoded, and '@' does not.
* *
* A corresponding decoder is not needed. * A corresponding decoder is not needed.
*
* XXX Maybe use krb5_cc_default_for()!
*/ */
static size_t static size_t
princ_fs_encode_sz(const char *in) princ_fs_encode_sz(const char *in)
@@ -1100,8 +1112,6 @@ find_ccache(krb5_context context, const char *princ, char **ccname)
return ret ? ret : ENOENT; return ret ? ret : ENOENT;
} }
enum k5_creds_kind { K5_CREDS_EPHEMERAL, K5_CREDS_CACHED };
static krb5_error_code static krb5_error_code
get_ccache(struct bx509_request_desc *r, krb5_ccache *cc, int *won) get_ccache(struct bx509_request_desc *r, krb5_ccache *cc, int *won)
{ {
@@ -1402,6 +1412,7 @@ k5_get_creds(struct bx509_request_desc *r, enum k5_creds_kind kind)
const char *cname = r->for_cname ? r->for_cname : r->cname; const char *cname = r->for_cname ? r->for_cname : r->cname;
/* If we have a live ccache for `cprinc', we're done */ /* If we have a live ccache for `cprinc', we're done */
r->cckind = kind;
if (kind == K5_CREDS_CACHED && if (kind == K5_CREDS_CACHED &&
(ret = find_ccache(r->context, cname, &r->ccname)) == 0) (ret = find_ccache(r->context, cname, &r->ccname)) == 0)
return ret; /* Success */ return ret; /* Success */
@@ -1823,10 +1834,8 @@ get_tgt(struct bx509_request_desc *r)
if (fn == NULL) if (fn == NULL)
return bad_500(r, ret, "Impossible error"); return bad_500(r, ret, "Impossible error");
fn++; fn++;
if ((errno = rk_undumpdata(fn, &body, &bodylen))) { if ((errno = rk_undumpdata(fn, &body, &bodylen)))
(void) unlink(fn);
return bad_503(r, ret, "Could not get TGT"); return bad_503(r, ret, "Could not get TGT");
}
ret = resp(r, MHD_HTTP_OK, MHD_RESPMEM_MUST_COPY, ret = resp(r, MHD_HTTP_OK, MHD_RESPMEM_MUST_COPY,
"application/x-krb5-ccache", body, bodylen, NULL); "application/x-krb5-ccache", body, bodylen, NULL);