From 4f10fd9bd72a43ce87ed89ced58b5bea32f48beb Mon Sep 17 00:00:00 2001 From: Markus Moeller Date: Thu, 13 Dec 2012 00:34:45 -0700 Subject: [PATCH] Fix memory leaks in Kerberos LDAP group helper Memory was not released when parsing invalid input config parameters. Detected by Coverity Scan. Issue 740421, 740423, 740424. --- .../kerberos_ldap_group/support_group.cc | 5 +++ .../kerberos_ldap_group/support_ldap.cc | 1 + .../kerberos_ldap_group/support_lserver.cc | 5 +++ .../kerberos_ldap_group/support_netbios.cc | 5 +++ .../kerberos_ldap_group/support_resolv.cc | 37 ++++++++++--------- .../kerberos_ldap_group/support_sasl.cc | 4 -- 6 files changed, 35 insertions(+), 22 deletions(-) diff --git a/helpers/external_acl/kerberos_ldap_group/support_group.cc b/helpers/external_acl/kerberos_ldap_group/support_group.cc index af2cd8bcb7..3ff3cca29a 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_group.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_group.cc @@ -388,6 +388,11 @@ create_gd(struct main_args *margs) cleanup(); return (1); } + if (dp) { /* end of domain name - twice */ + debug((char *) "%s| %s: @ is not allowed in group name %s@%s\n",LogTime(), PROGRAM,gp,dp); + cleanup(); + return(1); + } *p = '\0'; ++p; gdsp = init_gd(); diff --git a/helpers/external_acl/kerberos_ldap_group/support_ldap.cc b/helpers/external_acl/kerberos_ldap_group/support_ldap.cc index fe78a3c409..3728476176 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_ldap.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_ldap.cc @@ -1166,6 +1166,7 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) debug((char *) "%s| %s: DEBUG: Users primary group %s %s\n", LogTime(), PROGRAM, retval ? "matches" : "does not match", group); } else + ldap_msgfree(res); debug((char *) "%s| %s: DEBUG: Did not find ldap entry for group %s\n", LogTime(), PROGRAM, group); /* * Cleanup diff --git a/helpers/external_acl/kerberos_ldap_group/support_lserver.cc b/helpers/external_acl/kerberos_ldap_group/support_lserver.cc index 256213ab0c..df9b64b231 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_lserver.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_lserver.cc @@ -100,6 +100,11 @@ create_ls(struct main_args *margs) free_ls(lssp); return (1); } + if (dp) { /* end of domain name - twice */ + debug((char *) "%s| %s: @ is not allowed in server name %s@%s\n",LogTime(), PROGRAM,np,dp); + free_ls(lssp); + return(1); + } *p = '\0'; ++p; if (dp) { /* end of domain name */ diff --git a/helpers/external_acl/kerberos_ldap_group/support_netbios.cc b/helpers/external_acl/kerberos_ldap_group/support_netbios.cc index 4016dfa768..6d2269a65c 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_netbios.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_netbios.cc @@ -89,6 +89,11 @@ create_nd(struct main_args *margs) free_nd(ndsp); return (1); } + if (dp) { /* end of domain name - twice */ + debug((char *) "%s| %s: @ is not allowed in netbios name %s@%s\n",LogTime(), PROGRAM,np,dp); + free_nd(ndsp); + return(1); + } *p = '\0'; ++p; ndsp = init_nd(); diff --git a/helpers/external_acl/kerberos_ldap_group/support_resolv.cc b/helpers/external_acl/kerberos_ldap_group/support_resolv.cc index 7f53353752..e984f4ee51 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_resolv.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_resolv.cc @@ -297,10 +297,10 @@ get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, int nh, if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, PACKETSZ_MULT * NS_PACKETSZ)) < 0) { error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); nsError(h_errno, service); - goto cleanup; + goto finalise; } } else { - goto cleanup; + goto finalise; } } if (len > PACKETSZ_MULT * NS_PACKETSZ) { @@ -309,70 +309,70 @@ get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, int nh, if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, len)) < 0) { error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); nsError(h_errno, service); - goto cleanup; + goto finalise; } if (len > olen) { error((char *) "%s| %s: ERROR: Reply to big: buffer: %d reply length: %d\n", LogTime(), PROGRAM, olen, len); - goto cleanup; + goto finalise; } } p = buffer; p += 6 * NS_INT16SZ; /* Header(6*16bit) = id + flags + 4*section count */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < header size\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) { error((char *) "%s| %s: ERROR: Error while expanding query name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); - goto cleanup; + goto finalise; } p += size; /* Query name */ p += 2 * NS_INT16SZ; /* Query type + class (2*16bit) */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class \n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } while (p < buffer + len) { if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) { error((char *) "%s| %s: ERROR: Error while expanding answer name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); - goto cleanup; + goto finalise; } p += size; /* Resource Record name */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } NS_GET16(type, p); /* RR type (16bit) */ p += NS_INT16SZ + NS_INT32SZ; /* RR class + ttl (16bit+32bit) */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } NS_GET16(rdlength, p); /* RR data length (16bit) */ if (type == ns_t_srv) { /* SRV record */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl + RR data length\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } NS_GET16(priority, p); /* Priority (16bit) */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } NS_GET16(weight, p); /* Weight (16bit) */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } NS_GET16(port, p); /* Port (16bit) */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } if ((size = dn_expand(buffer, buffer + len, p, host, NS_MAXDNAME)) < 0) { error((char *) "%s| %s: ERROR: Error while expanding SRV RR name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); - goto cleanup; + goto finalise; } debug((char *) "%s| %s: DEBUG: Resolved SRV %s record to %s\n", LogTime(), PROGRAM, service, host); hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nh + 1)); @@ -387,7 +387,7 @@ get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, int nh, } if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port + name\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } } if (p != buffer + len) { @@ -396,10 +396,10 @@ get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, int nh, #else error((char *) "%s| %s: ERROR: Inconsistence message length: %d!=0\n", LogTime(), PROGRAM, buffer + len - p); #endif - goto cleanup; + goto finalise; } -cleanup: +finalise: nhosts = get_hostname_list(margs, &hp, nh, domain); debug("%s| %s: DEBUG: Adding %s to list\n", LogTime(), PROGRAM, domain); @@ -411,6 +411,7 @@ cleanup: hp[nhosts].weight = -2; ++nhosts; +cleanup: /* Remove duplicates */ for (i = 0; i < nhosts; ++i) { for (j = i + 1; j < nhosts; ++j) { diff --git a/helpers/external_acl/kerberos_ldap_group/support_sasl.cc b/helpers/external_acl/kerberos_ldap_group/support_sasl.cc index 1fd26e2f58..29e6970c31 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_sasl.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_sasl.cc @@ -231,11 +231,7 @@ tool_sasl_bind(LDAP * ld, char *binddn, char *ssl) char *sasl_realm = NULL; char *sasl_authc_id = NULL; char *sasl_authz_id = NULL; -#ifdef HAVE_SUN_LDAP_SDK char *sasl_mech = (char *) "GSSAPI"; -#else - char *sasl_mech = NULL; -#endif /* * Force encryption */ -- 2.47.3