Fix output token and GSS context leaks in TKEY/GSS-API error paths

In dst_gssapi_acceptctx(), rename outtoken to outtokenp (matching BIND
convention for output pointer parameters) and free the allocated output
token buffer on error in the cleanup path.

In process_gsstkey(), route the empty-principal error path through
cleanup via CLEANUP() instead of returning early, so that the output
token, GSS context, and TSIG key are all freed consistently by the
existing cleanup block.

(cherry picked from commit 6c46c85d02849fb659584275313529794039f433)

diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index a1df18a6afcc80055916d8fa6ead8c94ccb4f54e..4109a4f975c7ee6abc0086c18fd1333392cfefde 100644 (file)
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -646,7 +646,7 @@ cleanup:
 
 isc_result_t
 dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
-                    isc_region_t *intoken, isc_buffer_t **outtoken,
+                    isc_region_t *intoken, isc_buffer_t **outtokenp,
                     dns_gss_ctx_id_t *ctxout, dns_name_t *principal,
                     isc_mem_t *mctx) {
        isc_region_t r;
@@ -659,7 +659,7 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
        isc_result_t result;
        char buf[1024];
 
-       REQUIRE(outtoken != NULL && *outtoken == NULL);
+       REQUIRE(outtokenp != NULL && *outtokenp == NULL);
        REQUIRE(*ctxout == NULL);
 
        REGION_TO_GBUFFER(*intoken, gintoken);
@@ -740,10 +740,10 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
        }
 
        if (gouttoken.length > 0U) {
-               isc_buffer_allocate(mctx, outtoken,
+               isc_buffer_allocate(mctx, outtokenp,
                                    (unsigned int)gouttoken.length);
                GBUFFER_TO_REGION(gouttoken, r);
-               CHECK(isc_buffer_copyregion(*outtoken, &r));
+               CHECK(isc_buffer_copyregion(*outtokenp, &r));
                (void)gss_release_buffer(&minor, &gouttoken);
        }
 
@@ -781,6 +781,10 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
        *ctxout = context;
 
 cleanup:
+       if (result != ISC_R_SUCCESS && *outtokenp != NULL) {
+               isc_buffer_free(outtokenp);
+       }
+
        if (result != ISC_R_SUCCESS && context != GSS_C_NO_CONTEXT) {
                (void)gss_delete_sec_context(&minor, &context, NULL);
        }

diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index a78dc83f03a09992a3e75c0d8b38ae9e43f36cc9..072c85e98409133a8201e643dbb1e11e27ae6a73 100644 (file)
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -540,13 +540,10 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
                                      &intoken, &outtoken, &gss_ctx, principal,
                                      tctx->mctx);
        if (result != ISC_R_SUCCESS) {
-               if (tsigkey != NULL) {
-                       dns_tsigkey_detach(&tsigkey);
-               }
                tkeyout->error = dns_tsigerror_badkey;
-               tkey_log("process_gsstkey(): dns_tsigerror_badkey"); /* XXXSRA
-                                                                     */
-               return ISC_R_SUCCESS;
+               tkey_log("process_gsstkey(): dns_tsigerror_badkey");
+               result = ISC_R_SUCCESS;
+               goto cleanup;
        }
 
        /*
@@ -558,9 +555,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
        isc_stdtime_get(&now);
 
        if (dns_name_countlabels(principal) == 0U) {
-               if (tsigkey != NULL) {
-                       dns_tsigkey_detach(&tsigkey);
-               }
+               tkeyout->error = dns_tsigerror_badkey;
+               tkey_log("process_gsstkey(): "
+                        "completed context with empty principal");
+               result = ISC_R_SUCCESS;
+               goto cleanup;
        } else if (tsigkey == NULL) {
 #if HAVE_GSSAPI
                OM_uint32 gret, minor, lifetime;
@@ -638,9 +637,9 @@ cleanup:
                isc_buffer_free(&outtoken);
        }
 
-       tkey_log("process_gsstkey(): %s", isc_result_totext(result)); /* XXXSRA
-                                                                      */
-
+       if (result != ISC_R_SUCCESS) {
+               tkey_log("process_gsstkey(): %s", isc_result_totext(result));
+       }
        return result;
 }