From: sashan <anedvedicky@gmail.com>
Date: Sun, 29 May 2022 08:32:57 +0000 (+0200)
Subject: Fix uncommon PKINIT memory leak
X-Git-Tag: krb5-1.21-beta1~66
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1253%2Fhead;p=thirdparty%2Fkrb5.git

Fix uncommon PKINIT memory leak

PKINIT per-request module data objects are normally created by
pkinit_server_verify_padata() and freed by
pkinit_server_return_padata().  In some unusual circumstances, the KDC
may not call the return_padata method after verification succeeds.
Add a free_modreq method and free the object there instead.

[ghudson@mit.edu: rewrote commit message]

ticket: 9065 (new)
tags: pullup
target_version: 1.20-next
target_version: 1.19-next
---

diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 1147a8fc2d..865c543c44 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1022,7 +1022,6 @@ pkinit_server_return_padata(krb5_context context,
     (*send_pa)->contents = (krb5_octet *) out_data->data;
 
 cleanup:
-    pkinit_fini_kdc_req_context(context, reqctx);
     free(scratch.data);
     free(out_data);
     if (encoded_dhkey_info != NULL)
@@ -1612,6 +1611,13 @@ pkinit_fini_kdc_req_context(krb5_context context, void *ctx)
     free(reqctx);
 }
 
+static void
+pkinit_free_modreq(krb5_context context, krb5_kdcpreauth_moddata moddata,
+                   krb5_kdcpreauth_modreq modreq)
+{
+    pkinit_fini_kdc_req_context(context, modreq);
+}
+
 krb5_error_code
 kdcpreauth_pkinit_initvt(krb5_context context, int maj_ver, int min_ver,
                          krb5_plugin_vtable vtable);
@@ -1633,5 +1639,6 @@ kdcpreauth_pkinit_initvt(krb5_context context, int maj_ver, int min_ver,
     vt->edata = pkinit_server_get_edata;
     vt->verify = pkinit_server_verify_padata;
     vt->return_padata = pkinit_server_return_padata;
+    vt->free_modreq = pkinit_free_modreq;
     return 0;
 }