diff options
| author | Tom Yu <tlyu@mit.edu> | 2000-02-18 00:14:12 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2000-02-18 00:14:12 +0000 |
| commit | 4c7b4f6ece4284d015b920171442e2f29617073a (patch) | |
| tree | 5bd5cf94f2b49fc05a12f1841a206fb4fa1daa9a /src/lib/rpc | |
| parent | 48511d8c90034b7573d6c9e4e1bf65893750f146 (diff) | |
| download | krb5-4c7b4f6ece4284d015b920171442e2f29617073a.zip krb5-4c7b4f6ece4284d015b920171442e2f29617073a.tar.gz krb5-4c7b4f6ece4284d015b920171442e2f29617073a.tar.bz2 | |
* svc_auth_gssapi.c (_svcauth_gssapi): Don't explicitly free
call_arg on error, since svc_getargs should do that now.
* svc_udp.c (svcudp_getargs): Free args on xdr decode error to
avoid leaks.
* svc_tcp.c (svctcp_getargs): Free args on xdr decode error to
avoid leaks.
* svc_raw.c (svcraw_getargs): Free args on xdr decode error to
avoid leaks.
* auth_gssapi.c (auth_gssapi_create): Don't explicitly free
call_res anymore, since clnt_call should deal now.
* clnt_udp.c (clntudp_call): Free stuff on error from
xdr_replymsg() to prevent leaking.
* clnt_tcp.c (clnttcp_call): Free stuff on error from
xdr_replymsg() to avoid leaking.
* clnt_raw.c (clntraw_call): Free stuff on error from
xdr_replymsg() to avoid leaking.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12052 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/rpc')
| -rw-r--r-- | src/lib/rpc/ChangeLog | 26 | ||||
| -rw-r--r-- | src/lib/rpc/auth_gssapi.c | 1 | ||||
| -rw-r--r-- | src/lib/rpc/clnt_raw.c | 17 | ||||
| -rw-r--r-- | src/lib/rpc/clnt_tcp.c | 9 | ||||
| -rw-r--r-- | src/lib/rpc/clnt_udp.c | 15 | ||||
| -rw-r--r-- | src/lib/rpc/svc_auth_gssapi.c | 1 | ||||
| -rw-r--r-- | src/lib/rpc/svc_raw.c | 6 | ||||
| -rw-r--r-- | src/lib/rpc/svc_tcp.c | 10 | ||||
| -rw-r--r-- | src/lib/rpc/svc_udp.c | 8 |
9 files changed, 84 insertions, 9 deletions
diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index 444225c..27150b2 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,29 @@ +2000-02-17 Tom Yu <tlyu@mit.edu> + + * svc_auth_gssapi.c (_svcauth_gssapi): Don't explicitly free + call_arg on error, since svc_getargs should do that now. + + * svc_udp.c (svcudp_getargs): Free args on xdr decode error to + avoid leaks. + + * svc_tcp.c (svctcp_getargs): Free args on xdr decode error to + avoid leaks. + + * svc_raw.c (svcraw_getargs): Free args on xdr decode error to + avoid leaks. + + * auth_gssapi.c (auth_gssapi_create): Don't explicitly free + call_res anymore, since clnt_call should deal now. + + * clnt_udp.c (clntudp_call): Free stuff on error from + xdr_replymsg() to prevent leaking. + + * clnt_tcp.c (clnttcp_call): Free stuff on error from + xdr_replymsg() to avoid leaking. + + * clnt_raw.c (clntraw_call): Free stuff on error from + xdr_replymsg() to avoid leaking. + 2000-02-16 Tom Yu <tlyu@mit.edu> * auth_gssapi.c (auth_gssapi_create): Free call_res because diff --git a/src/lib/rpc/auth_gssapi.c b/src/lib/rpc/auth_gssapi.c index a81c2fa..49d8846 100644 --- a/src/lib/rpc/auth_gssapi.c +++ b/src/lib/rpc/auth_gssapi.c @@ -293,7 +293,6 @@ next_token: if (callstat != RPC_SUCCESS) { struct rpc_err err; - xdr_free(xdr_authgssapi_init_res, &call_res); clnt_geterr(clnt, &err); if (callstat == RPC_AUTHERROR && (err.re_why == AUTH_BADCRED || err.re_why == AUTH_FAILED) diff --git a/src/lib/rpc/clnt_raw.c b/src/lib/rpc/clnt_raw.c index ec5fa6f..44fbf5d 100644 --- a/src/lib/rpc/clnt_raw.c +++ b/src/lib/rpc/clnt_raw.c @@ -169,8 +169,23 @@ call_again: msg.acpted_rply.ar_verf = _null_auth; msg.acpted_rply.ar_results.where = resultsp; msg.acpted_rply.ar_results.proc = xresults; - if (! xdr_replymsg(xdrs, &msg)) + if (! xdr_replymsg(xdrs, &msg)) { + /* + * It's possible for xdr_replymsg() to fail partway + * through its attempt to decode the result from the + * server. If this happens, it will leave the reply + * structure partially populated with dynamically + * allocated memory. (This can happen if someone uses + * clntudp_bufcreate() to create a CLIENT handle and + * specifies a receive buffer size that is too small.) + * This memory must be free()ed to avoid a leak. + */ + int op = xdrs->x_op; + xdrs->x_op = XDR_FREE; + xdr_replymsg(xdrs, &msg); + xdrs->x_op = op; return (RPC_CANTDECODERES); + } sunrpc_seterr_reply(&msg, &error); status = error.re_status; diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c index 6f36553..4e10a48 100644 --- a/src/lib/rpc/clnt_tcp.c +++ b/src/lib/rpc/clnt_tcp.c @@ -283,6 +283,15 @@ call_again: return (ct->ct_error.re_status); /* now decode and validate the response header */ if (! xdr_replymsg(xdrs, &reply_msg)) { + /* + * Free some stuff allocated by xdr_replymsg() + * to avoid leaks, since it may allocate + * memory from partially successful decodes. + */ + int op = xdrs->x_op; + xdrs->x_op = XDR_FREE; + xdr_replymsg(xdrs, &reply_msg); + xdrs->x_op = op; if (ct->ct_error.re_status == RPC_SUCCESS) continue; return (ct->ct_error.re_status); diff --git a/src/lib/rpc/clnt_udp.c b/src/lib/rpc/clnt_udp.c index 7ef61c9..6046942 100644 --- a/src/lib/rpc/clnt_udp.c +++ b/src/lib/rpc/clnt_udp.c @@ -379,6 +379,21 @@ send_again: } } /* end of valid reply message */ else { + /* + * It's possible for xdr_replymsg() to fail partway + * through its attempt to decode the result from the + * server. If this happens, it will leave the reply + * structure partially populated with dynamically + * allocated memory. (This can happen if someone uses + * clntudp_bufcreate() to create a CLIENT handle and + * specifies a receive buffer size that is too small.) + * This memory must be free()ed to avoid a leak. + */ + int op = reply_xdrs.x_op; + reply_xdrs.x_op = XDR_FREE; + xdr_replymsg(&reply_xdrs, &reply_msg); + reply_xdrs.x_op = op; + return (RPC_CANTDECODERES); cu->cu_error.re_status = RPC_CANTDECODERES; } return (cu->cu_error.re_status); diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c index b1c275a..827596a 100644 --- a/src/lib/rpc/svc_auth_gssapi.c +++ b/src/lib/rpc/svc_auth_gssapi.c @@ -271,7 +271,6 @@ enum auth_stat _svcauth_gssapi(rqst, msg, no_dispatch) &call_arg)) { PRINTF(("svcauth_gssapi: cannot decode args\n")); LOG_MISCERR("protocol error in procedure arguments"); - xdr_free(xdr_authgssapi_init_arg, &call_arg); ret = AUTH_BADCRED; goto error; } diff --git a/src/lib/rpc/svc_raw.c b/src/lib/rpc/svc_raw.c index e5d9667..23ff889 100644 --- a/src/lib/rpc/svc_raw.c +++ b/src/lib/rpc/svc_raw.c @@ -141,7 +141,11 @@ svcraw_getargs(xprt, xdr_args, args_ptr) if (srp == 0) return (FALSE); - return ((*xdr_args)(&srp->xdr_stream, args_ptr)); + if (! (*xdr_args)(&srp->xdr_stream, args_ptr)) { + (void)svcraw_freeargs(xprt, xdr_args, args_ptr); + return FALSE; + } + return TRUE; } static bool_t diff --git a/src/lib/rpc/svc_tcp.c b/src/lib/rpc/svc_tcp.c index 60872c5..cece276 100644 --- a/src/lib/rpc/svc_tcp.c +++ b/src/lib/rpc/svc_tcp.c @@ -398,9 +398,13 @@ svctcp_getargs(xprt, xdr_args, args_ptr) xdrproc_t xdr_args; caddr_t args_ptr; { - return (SVCAUTH_UNWRAP(xprt->xp_auth, - &(((struct tcp_conn *)(xprt->xp_p1))->xdrs), - xdr_args, args_ptr)); + if (! SVCAUTH_UNWRAP(xprt->xp_auth, + &(((struct tcp_conn *)(xprt->xp_p1))->xdrs), + xdr_args, args_ptr)) { + (void)svctcp_freeargs(xprt, xdr_args, args_ptr); + return FALSE; + } + return TRUE; } static bool_t diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c index 454f99f..c17b4ac 100644 --- a/src/lib/rpc/svc_udp.c +++ b/src/lib/rpc/svc_udp.c @@ -272,8 +272,12 @@ svcudp_getargs(xprt, xdr_args, args_ptr) xdrproc_t xdr_args; caddr_t args_ptr; { - return (SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs), - xdr_args, args_ptr)); + if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs), + xdr_args, args_ptr)) { + (void)svcudp_freeargs(xprt, xdr_args, args_ptr); + return FALSE; + } + return TRUE; } static bool_t |