- make the tmsglen size check not a strict inequality, since the old

cksumtypes can return padded data.
 - plug a memory leak
 - reorder some stuff for clarity

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/marc-3des@10813 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index 2bfd3d76111c651a108685c6412476603a649478..d78e83c91aad86f30584562fca922a5dde2b9a87 100644 (file)
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -328,6 +328,7 @@ kg2_unwrap_priv(context, minor_status, ctx, ptr, bodysize, output, qop_state)
     if (code = krb5_c_decrypt(context, ctx->subkey,
                              KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV,
                              0, &cipher, &plain)) {
+       free(plain.data);
        *minor_status = code;
        return(GSS_S_FAILURE);
     }
@@ -338,6 +339,7 @@ kg2_unwrap_priv(context, minor_status, ctx, ptr, bodysize, output, qop_state)
     bodysize = plain.length;
 
     if (bodysize < 7) {
+       free(plain.data);
        *minor_status = G_TOK_TRUNC;
        return(GSS_S_DEFECTIVE_TOKEN);
     }
@@ -351,51 +353,62 @@ kg2_unwrap_priv(context, minor_status, ctx, ptr, bodysize, output, qop_state)
     ptr += 2;
     bodysize -= 7;
 
-    if (bodysize != tmsglen) {
-       *minor_status = G_TOK_TRUNC;
-       return(GSS_S_DEFECTIVE_TOKEN);
+    /* check context expiry */
+
+    if ((code = krb5_timeofday(context, &now))) {
+       free(plain.data);
+       *minor_status = code;
+       return(GSS_S_FAILURE);
     }
 
-    tmsg = ptr;
+    if (now > ctx->endtime) {
+       free(plain.data);
+       *minor_status = 0;
+       return(GSS_S_CONTEXT_EXPIRED);
+    }
 
-    /* check context expiry */
+    /* do sequencing checks */
 
-   if ((code = krb5_timeofday(context, &now))) {
-       *minor_status = code;
-       return(GSS_S_FAILURE);
-   }
+    if ((ctx->initiate && tdirection != 0xff) ||
+       (!ctx->initiate && tdirection != 0)) {
+       free(plain.data);
+       *minor_status = G_BAD_DIRECTION;
+       return(GSS_S_BAD_SIG);
+    }
 
-   if (now > ctx->endtime) {
-       *minor_status = 0;
-       return(GSS_S_CONTEXT_EXPIRED);
-   }
+    if (retval = g_order_check(&(ctx->seqstate), tseqnum)) {
+       free(plain.data);
+       *minor_status = 0;
+       return(retval);
+    }
 
-   /* do sequencing checks */
+    /* now copy out the data.  can't do a strict equality check here,
+       since the output could be padded.  */
 
-   if ((ctx->initiate && tdirection != 0xff) ||
-       (!ctx->initiate && tdirection != 0)) {
-       *minor_status = G_BAD_DIRECTION;
-       return(GSS_S_BAD_SIG);
-   }
+    if (bodysize < tmsglen) {
+       free(plain.data);
+       *minor_status = G_TOK_TRUNC;
+       return(GSS_S_DEFECTIVE_TOKEN);
+    }
 
-   if (retval = g_order_check(&(ctx->seqstate), tseqnum)) {
-       *minor_status = 0;
-       return(retval);
-   }
+    tmsg = ptr;
 
-   if ((output->value = (void *) malloc(tmsglen)) == NULL) {
-       *minor_status = ENOMEM;
-       return(GSS_S_FAILURE);
-   }
+    if ((output->value = (void *) malloc(tmsglen)) == NULL) {
+       free(plain.data);
+       *minor_status = ENOMEM;
+       return(GSS_S_FAILURE);
+    }
 
-   memcpy(output->value, tmsg, tmsglen);
-   output->length = tmsglen;
+    memcpy(output->value, tmsg, tmsglen);
+    output->length = tmsglen;
 
-   if (qop_state)
-       *qop_state = GSS_C_QOP_DEFAULT;
+    if (qop_state)
+       *qop_state = GSS_C_QOP_DEFAULT;
 
-   *minor_status = 0;
-   return(GSS_S_COMPLETE);
+    free(plain.data);
+
+    *minor_status = 0;
+    return(GSS_S_COMPLETE);
 }
 
 /* message_buffer is an input if SIGN, output if SEAL, and ignored if DEL_CTX