Fix output token and GSS context leaks in TKEY/GSS-API error paths

In dst_gssapi_acceptctx(), rename outtoken to outtokenp (matching BIND
convention for output pointer parameters) and free the allocated output
token buffer on error in the cleanup path.

In process_gsstkey(), route the empty-principal error path through
cleanup via CLEANUP() instead of returning early, so that the output
token, GSS context, and TSIG key are all freed consistently by the
existing cleanup block.

(cherry picked from commit f2240d2d06a1a68b622bd6b00a52c6fe4274426d)

diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index fabdef5ea637532b6db4316e405f6bef832da69f..a58c3071d409e9e259633229b42c37c74d839c80 100644 (file)
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -637,7 +637,7 @@ out:
 isc_result_t
 dst_gssapi_acceptctx(gss_cred_id_t cred,
                     const char *gssapi_keytab,
-                    isc_region_t *intoken, isc_buffer_t **outtoken,
+                    isc_region_t *intoken, isc_buffer_t **outtokenp,
                     gss_ctx_id_t *ctxout, dns_name_t *principal,
                     isc_mem_t *mctx) {
        isc_region_t r;
@@ -650,7 +650,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
        isc_result_t result;
        char buf[1024];
 
-       REQUIRE(outtoken != NULL && *outtoken == NULL);
+       REQUIRE(outtokenp != NULL && *outtokenp == NULL);
        REQUIRE(*ctxout == NULL);
 
        REGION_TO_GBUFFER(*intoken, gintoken);
@@ -728,10 +728,13 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
        }
 
        if (gouttoken.length > 0U) {
-               RETERR(isc_buffer_allocate(mctx, outtoken,
+               RETERR(isc_buffer_allocate(mctx, outtokenp,
                                           (unsigned int)gouttoken.length));
                GBUFFER_TO_REGION(gouttoken, r);
-               RETERR(isc_buffer_copyregion(*outtoken, &r));
+               result = isc_buffer_copyregion(*outtokenp, &r);
+               if (result != ISC_R_SUCCESS) {
+                       goto out;
+               }
                (void)gss_release_buffer(&minor, &gouttoken);
        }
 
@@ -772,6 +775,10 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
        *ctxout = context;
 
 out:
+       if (result != ISC_R_SUCCESS && *outtokenp != NULL) {
+               isc_buffer_free(outtokenp);
+       }
+
        if (result != ISC_R_SUCCESS && context != GSS_C_NO_CONTEXT) {
                (void)gss_delete_sec_context(&minor, &context, NULL);
        }

diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 5edd21220d25c02774409758f492f817727534e0..bb96e77b772c99c3fe0da26d7300aa419570fe62 100644 (file)
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -506,11 +506,10 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
                                      &intoken, &outtoken, &gss_ctx,
                                      principal, tctx->mctx);
        if (result != ISC_R_SUCCESS) {
-               if (tsigkey != NULL)
-                       dns_tsigkey_detach(&tsigkey);
                tkeyout->error = dns_tsigerror_badkey;
-               tkey_log("process_gsstkey(): dns_tsigerror_badkey");    /* XXXSRA */
-               return (ISC_R_SUCCESS);
+               tkey_log("process_gsstkey(): dns_tsigerror_badkey");
+               result = ISC_R_SUCCESS;
+               goto failure;
        }
 
        /*
@@ -522,9 +521,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
        isc_stdtime_get(&now);
 
        if (dns_name_countlabels(principal) == 0U) {
-               if (tsigkey != NULL) {
-                       dns_tsigkey_detach(&tsigkey);
-               }
+               tkeyout->error = dns_tsigerror_badkey;
+               tkey_log("process_gsstkey(): "
+                        "completed context with empty principal");
+               result = ISC_R_SUCCESS;
+               goto failure;
        } else if (tsigkey == NULL) {
 #ifdef GSSAPI
                OM_uint32 gret, minor, lifetime;
@@ -608,10 +609,10 @@ failure:
        if (outtoken != NULL)
                isc_buffer_free(&outtoken);
 
-       tkey_log("process_gsstkey(): %s",
-               isc_result_totext(result));     /* XXXSRA */
-
-       return (result);
+       if (result != ISC_R_SUCCESS) {
+               tkey_log("process_gsstkey(): %s", isc_result_totext(result));
+       }
+       return result;
 }
 
 static isc_result_t