Fix GSS context leak on error paths in process_gsstkey()

After gss_accept_sec_context() succeeds, the GSS context is passed
to dst_key_fromgssapi() which transfers ownership to the dst_key.
If a subsequent operation fails (dst_key_fromgssapi itself,
dns_tsigkey_createfromkey, or dns_tsigkeyring_add), the cleanup
label frees the dst_key but only if it was created.  If the failure
happened before dst_key_fromgssapi, the GSS context was orphaned.

Delete the GSS context in the cleanup path when it was not
transferred to a dst_key.

diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 03615f07e5c81b98029f73ac39114b450b451667..a65661670f1a0f9ce31d8c3c58c4e6b3b6ed54aa 100644 (file)
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -265,6 +265,14 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
        return ISC_R_SUCCESS;
 
 cleanup:
+       /*
+        * If dstkey was created, the GSS context was transferred to it
+        * and will be freed when dstkey is freed.  Otherwise, we must
+        * delete the GSS context directly to prevent a leak.
+        */
+       if (dstkey == NULL && gss_ctx != NULL) {
+               dst_gssapi_deletectx(tctx->mctx, &gss_ctx);
+       }
        if (tsigkey != NULL) {
                dns_tsigkey_detach(&tsigkey);
        }