pkinit: fix leak in client

This commit is contained in:
Nicolas Williams
2019-07-05 15:30:43 -05:00
parent 37b55e1fdb
commit 941dfd95a3

View File

@@ -1091,6 +1091,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
krb5_error_code ret;
struct krb5_pk_cert *host = NULL;
krb5_data content;
heim_octet_string unwrapped;
heim_oid contentType = { 0, NULL };
int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT;
@@ -1122,9 +1123,8 @@ pk_rd_pa_reply_enckey(krb5_context context,
/* win2k uses ContentInfo */
if (type == PKINIT_WIN2K) {
heim_oid type2;
heim_octet_string out;
ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
if (ret) {
/* windows LH with interesting CMS packets */
size_t ph = 1 + der_length_len(content.length);
@@ -1143,7 +1143,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
content.data = ptr;
content.length += ph;
ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
if (ret)
goto out;
}
@@ -1152,13 +1152,13 @@ pk_rd_pa_reply_enckey(krb5_context context,
krb5_set_error_message(context, ret,
N_("PKINIT: Invalid content type", ""));
der_free_oid(&type2);
der_free_octet_string(&out);
der_free_octet_string(&unwrapped);
goto out;
}
der_free_oid(&type2);
krb5_data_free(&content);
ret = krb5_data_copy(&content, out.data, out.length);
der_free_octet_string(&out);
ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
der_free_octet_string(&unwrapped);
if (ret) {
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
@@ -1171,10 +1171,13 @@ pk_rd_pa_reply_enckey(krb5_context context,
content.length,
ctx->id,
&contentType,
&content,
&unwrapped,
&host);
if (ret)
goto out;
krb5_data_free(&content);
ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
der_free_octet_string(&unwrapped);
/* make sure that it is the kdc's certificate */
ret = pk_verify_host(context, realm, hi, ctx, host);
@@ -1887,7 +1890,7 @@ _krb5_pk_load_id(krb5_context context,
NULL, *chain_list);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to laod chain %s",
"Failed to load chain %s",
*chain_list);
goto out;
}