From 4c7b4f6ece4284d015b920171442e2f29617073a Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Fri, 18 Feb 2000 00:14:12 +0000
Subject: 	* svc_auth_gssapi.c (_svcauth_gssapi): Don't explicitly free 
 call_arg on error, since svc_getargs should do that now.

	* svc_udp.c (svcudp_getargs): Free args on xdr decode error to
	avoid leaks.

	* svc_tcp.c (svctcp_getargs): Free args on xdr decode error to
	avoid leaks.

	* svc_raw.c (svcraw_getargs): Free args on xdr decode error to
	avoid leaks.

	* auth_gssapi.c (auth_gssapi_create): Don't explicitly free
	call_res anymore, since clnt_call should deal now.

	* clnt_udp.c (clntudp_call): Free stuff on error from
	xdr_replymsg() to prevent leaking.

	* clnt_tcp.c (clnttcp_call): Free stuff on error from
	xdr_replymsg() to avoid leaking.

	* clnt_raw.c (clntraw_call): Free stuff on error from
	xdr_replymsg() to avoid leaking.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12052 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/rpc/ChangeLog         | 26 ++++++++++++++++++++++++++
 src/lib/rpc/auth_gssapi.c     |  1 -
 src/lib/rpc/clnt_raw.c        | 17 ++++++++++++++++-
 src/lib/rpc/clnt_tcp.c        |  9 +++++++++
 src/lib/rpc/clnt_udp.c        | 15 +++++++++++++++
 src/lib/rpc/svc_auth_gssapi.c |  1 -
 src/lib/rpc/svc_raw.c         |  6 +++++-
 src/lib/rpc/svc_tcp.c         | 10 +++++++---
 src/lib/rpc/svc_udp.c         |  8 ++++++--
 9 files changed, 84 insertions(+), 9 deletions(-)

(limited to 'src/lib/rpc')

diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog
index 444225c..27150b2 100644
--- a/src/lib/rpc/ChangeLog
+++ b/src/lib/rpc/ChangeLog
@@ -1,3 +1,29 @@
+2000-02-17  Tom Yu  <tlyu@mit.edu>
+
+	* svc_auth_gssapi.c (_svcauth_gssapi): Don't explicitly free
+	call_arg on error, since svc_getargs should do that now.
+
+	* svc_udp.c (svcudp_getargs): Free args on xdr decode error to
+	avoid leaks.
+
+	* svc_tcp.c (svctcp_getargs): Free args on xdr decode error to
+	avoid leaks.
+
+	* svc_raw.c (svcraw_getargs): Free args on xdr decode error to
+	avoid leaks.
+
+	* auth_gssapi.c (auth_gssapi_create): Don't explicitly free
+	call_res anymore, since clnt_call should deal now.
+
+	* clnt_udp.c (clntudp_call): Free stuff on error from
+	xdr_replymsg() to prevent leaking.
+
+	* clnt_tcp.c (clnttcp_call): Free stuff on error from
+	xdr_replymsg() to avoid leaking.
+
+	* clnt_raw.c (clntraw_call): Free stuff on error from
+	xdr_replymsg() to avoid leaking.
+
 2000-02-16  Tom Yu  <tlyu@mit.edu>
 
 	* auth_gssapi.c (auth_gssapi_create): Free call_res because
diff --git a/src/lib/rpc/auth_gssapi.c b/src/lib/rpc/auth_gssapi.c
index a81c2fa..49d8846 100644
--- a/src/lib/rpc/auth_gssapi.c
+++ b/src/lib/rpc/auth_gssapi.c
@@ -293,7 +293,6 @@ next_token:
 	  if (callstat != RPC_SUCCESS) {
 	       struct rpc_err err;
 
-	       xdr_free(xdr_authgssapi_init_res, &call_res);
 	       clnt_geterr(clnt, &err);
 	       if (callstat == RPC_AUTHERROR &&
 		   (err.re_why == AUTH_BADCRED || err.re_why == AUTH_FAILED)
diff --git a/src/lib/rpc/clnt_raw.c b/src/lib/rpc/clnt_raw.c
index ec5fa6f..44fbf5d 100644
--- a/src/lib/rpc/clnt_raw.c
+++ b/src/lib/rpc/clnt_raw.c
@@ -169,8 +169,23 @@ call_again:
 	msg.acpted_rply.ar_verf = _null_auth;
 	msg.acpted_rply.ar_results.where = resultsp;
 	msg.acpted_rply.ar_results.proc = xresults;
-	if (! xdr_replymsg(xdrs, &msg))
+	if (! xdr_replymsg(xdrs, &msg)) {
+		/*
+		 * It's possible for xdr_replymsg() to fail partway
+		 * through its attempt to decode the result from the
+		 * server. If this happens, it will leave the reply
+		 * structure partially populated with dynamically
+		 * allocated memory. (This can happen if someone uses
+		 * clntudp_bufcreate() to create a CLIENT handle and
+		 * specifies a receive buffer size that is too small.)
+		 * This memory must be free()ed to avoid a leak.
+		 */
+		int op = xdrs->x_op;
+		xdrs->x_op = XDR_FREE;
+		xdr_replymsg(xdrs, &msg);
+		xdrs->x_op = op;
 		return (RPC_CANTDECODERES);
+	}
 	sunrpc_seterr_reply(&msg, &error);
 	status = error.re_status;
 
diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c
index 6f36553..4e10a48 100644
--- a/src/lib/rpc/clnt_tcp.c
+++ b/src/lib/rpc/clnt_tcp.c
@@ -283,6 +283,15 @@ call_again:
 			return (ct->ct_error.re_status);
 		/* now decode and validate the response header */
 		if (! xdr_replymsg(xdrs, &reply_msg)) {
+			/*
+			 * Free some stuff allocated by xdr_replymsg()
+			 * to avoid leaks, since it may allocate
+			 * memory from partially successful decodes.
+			 */
+			int op = xdrs->x_op;
+			xdrs->x_op = XDR_FREE;
+			xdr_replymsg(xdrs, &reply_msg);
+			xdrs->x_op = op;
 			if (ct->ct_error.re_status == RPC_SUCCESS)
 				continue;
 			return (ct->ct_error.re_status);
diff --git a/src/lib/rpc/clnt_udp.c b/src/lib/rpc/clnt_udp.c
index 7ef61c9..6046942 100644
--- a/src/lib/rpc/clnt_udp.c
+++ b/src/lib/rpc/clnt_udp.c
@@ -379,6 +379,21 @@ send_again:
 		} 
 	}  /* end of valid reply message */
 	else {
+		/*
+		 * It's possible for xdr_replymsg() to fail partway
+		 * through its attempt to decode the result from the
+		 * server. If this happens, it will leave the reply
+		 * structure partially populated with dynamically
+		 * allocated memory. (This can happen if someone uses
+		 * clntudp_bufcreate() to create a CLIENT handle and
+		 * specifies a receive buffer size that is too small.)
+		 * This memory must be free()ed to avoid a leak.
+		 */
+		int op = reply_xdrs.x_op;
+		reply_xdrs.x_op = XDR_FREE;
+		xdr_replymsg(&reply_xdrs, &reply_msg);
+		reply_xdrs.x_op = op;
+		return (RPC_CANTDECODERES);
 		cu->cu_error.re_status = RPC_CANTDECODERES;
 	}
 	return (cu->cu_error.re_status);
diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
index b1c275a..827596a 100644
--- a/src/lib/rpc/svc_auth_gssapi.c
+++ b/src/lib/rpc/svc_auth_gssapi.c
@@ -271,7 +271,6 @@ enum auth_stat _svcauth_gssapi(rqst, msg, no_dispatch)
 			    &call_arg)) {
 	       PRINTF(("svcauth_gssapi: cannot decode args\n"));
 	       LOG_MISCERR("protocol error in procedure arguments");
-	       xdr_free(xdr_authgssapi_init_arg, &call_arg);
 	       ret = AUTH_BADCRED;
 	       goto error;
 	  }
diff --git a/src/lib/rpc/svc_raw.c b/src/lib/rpc/svc_raw.c
index e5d9667..23ff889 100644
--- a/src/lib/rpc/svc_raw.c
+++ b/src/lib/rpc/svc_raw.c
@@ -141,7 +141,11 @@ svcraw_getargs(xprt, xdr_args, args_ptr)
 
 	if (srp == 0)
 		return (FALSE);
-	return ((*xdr_args)(&srp->xdr_stream, args_ptr));
+	if (! (*xdr_args)(&srp->xdr_stream, args_ptr)) {
+		(void)svcraw_freeargs(xprt, xdr_args, args_ptr);
+		return FALSE;
+	}
+	return TRUE;
 }
 
 static bool_t
diff --git a/src/lib/rpc/svc_tcp.c b/src/lib/rpc/svc_tcp.c
index 60872c5..cece276 100644
--- a/src/lib/rpc/svc_tcp.c
+++ b/src/lib/rpc/svc_tcp.c
@@ -398,9 +398,13 @@ svctcp_getargs(xprt, xdr_args, args_ptr)
 	xdrproc_t xdr_args;
 	caddr_t args_ptr;
 {
-     return (SVCAUTH_UNWRAP(xprt->xp_auth,
-			    &(((struct tcp_conn *)(xprt->xp_p1))->xdrs),
-			    xdr_args, args_ptr));
+	if (! SVCAUTH_UNWRAP(xprt->xp_auth,
+			     &(((struct tcp_conn *)(xprt->xp_p1))->xdrs),
+			     xdr_args, args_ptr)) {
+		(void)svctcp_freeargs(xprt, xdr_args, args_ptr);
+		return FALSE;
+	}
+	return TRUE;
 }
 
 static bool_t
diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c
index 454f99f..c17b4ac 100644
--- a/src/lib/rpc/svc_udp.c
+++ b/src/lib/rpc/svc_udp.c
@@ -272,8 +272,12 @@ svcudp_getargs(xprt, xdr_args, args_ptr)
 	xdrproc_t xdr_args;
 	caddr_t args_ptr;
 {
-     return (SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs),
-			 xdr_args, args_ptr));
+	if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs),
+			     xdr_args, args_ptr)) {
+		(void)svcudp_freeargs(xprt, xdr_args, args_ptr);
+		return FALSE;
+	}
+	return TRUE;
 }
 
 static bool_t
-- 
cgit v1.1