Fix GSS context leak when principal name is empty

When gss_accept_sec_context() completes successfully but
gss_display_name() returns an empty principal, the GSS context
was leaked — it was neither stored in a key nor deleted.

Delete the context and reject with BADKEY in this case.  This
should only occur due to a GSS library bug, since a completed
context should always have a valid principal.

diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 42deb423a2bc850e69d26d579f56822807047c4b..03615f07e5c81b98029f73ac39114b450b451667 100644 (file)
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -200,6 +200,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
                if (tsigkey != NULL) {
                        dns_tsigkey_detach(&tsigkey);
                }
+               dst_gssapi_deletectx(tctx->mctx, &gss_ctx);
+               tkeyout->error = dns_tsigerror_badkey;
+               tkey_log("process_gsstkey(): "
+                        "completed context with empty principal");
+               return ISC_R_SUCCESS;
        } else if (tsigkey == NULL) {
 #if HAVE_GSSAPI
                OM_uint32 gret, minor, lifetime;