Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Mon, 24 Nov 2014, Jan Cholasta wrote:
From bf1132192a9a0ac3ee41f24c56de6e911af51b78 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/8] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..a450007 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2070,7 +2070,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
krb5_princ_component(context, ks_client_princ,
1)-length,
ipactx-kdc_hostname, strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
-kerr = ipadb_reinit_mspac(ipactx, true);
+(void)ipadb_reinit_mspac(ipactx, true);
}
}
ACK
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Mon, 24 Nov 2014, Jan Cholasta wrote:
From fef20b5966b4a49cc8c230437cf8f06899b51840 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 24 Nov 2014 13:57:10 +
Subject: [PATCH] Fix memory leak in GetKeytabControl asn1 code
https://fedorahosted.org/freeipa/ticket/4713
---
asn1/ipa_asn1.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/asn1/ipa_asn1.c b/asn1/ipa_asn1.c
index 50851a8..9efca96 100644
--- a/asn1/ipa_asn1.c
+++ b/asn1/ipa_asn1.c
@@ -77,12 +77,12 @@ bool ipaasn1_enc_getktreply(int kvno, struct keys_container
*keys,
{
GetKeytabControl_t gkctrl = { 0 };
bool ret = false;
+KrbKey_t *KK;
gkctrl.present = GetKeytabControl_PR_reply;
gkctrl.choice.reply.newkvno = kvno;
for (int i = 0; i keys-nkeys; i++) {
-KrbKey_t *KK;
KK = calloc(1, sizeof(KrbKey_t));
if (!KK) goto done;
KK-key.type = keys-ksdata[i].key.enctype;
@@ -109,9 +109,18 @@ bool ipaasn1_enc_getktreply(int kvno, struct
keys_container *keys,
}
ret = encode_GetKeytabControl(gkctrl, buf, len);
+KK = NULL;
done:
ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GetKeytabControl, gkctrl);
+if (KK) {
+free(KK-key.value.buf);
+if (KK-salt) {
+free(KK-salt-value.buf);
+free(KK-salt);
+}
+free(KK);
+}
return ret;
}
ACK.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From c2a03a9e062df5691431babeb55119dbda6b2c67 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:20:18 +
Subject: [PATCH 1/7] Remove redefinition of LOG from ipa-otp-lasttoken
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
index d20fca1..15b404d 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
@@ -47,9 +47,6 @@
#include util.h
#define PLUGIN_NAME ipa-otp-lasttoken
-#define LOG(sev, ...) \
-slapi_log_error(SLAPI_LOG_ ## sev, PLUGIN_NAME, \
-%s: %s\n, __func__, __VA_ARGS__), -1
static void *plugin_id;
static const Slapi_PluginDesc preop_desc = {
ACK, this definition, while it differs from what is in util.h, is not
used anywhere in ipa_otp_lasttoken.c
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 10b309f53852665050465df8aa44290dfe232291 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:33:23 +
Subject: [PATCH 2/7] Unload P11_Helper object's library when it is finalized
in ipap11helper
https://fedorahosted.org/freeipa/ticket/4713
---
ipapython/ipap11helper/library.c | 5 +
ipapython/ipap11helper/p11helper.c | 9 +++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/ipapython/ipap11helper/library.c b/ipapython/ipap11helper/library.c
index 51e24eb..619604d 100644
--- a/ipapython/ipap11helper/library.c
+++ b/ipapython/ipap11helper/library.c
@@ -70,6 +70,11 @@ CK_C_GetFunctionList loadLibrary(char* module, void**
moduleHandle)
// Retrieve the entry point for C_GetFunctionList
pGetFunctionList = (CK_C_GetFunctionList) dlsym(pDynLib,
C_GetFunctionList);
+ if (pGetFunctionList == NULL)
+ {
+ dlclose(pDynLib);
+ return NULL;
+ }
// Store the handle so we can dlclose it later
*moduleHandle = pDynLib;
diff --git a/ipapython/ipap11helper/p11helper.c
b/ipapython/ipap11helper/p11helper.c
index 038c26c..558185e 100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -66,6 +66,7 @@ PyObject_HEAD
CK_SLOT_ID slot;
CK_FUNCTION_LIST_PTR p11;
CK_SESSION_HANDLE session;
+void *module_handle;
} P11_Helper;
typedef enum {
@@ -478,6 +479,7 @@ P11_Helper_new(PyTypeObject *type, PyObject *args, PyObject
*kwds) {
self-slot = 0;
self-session = 0;
self-p11 = NULL;
+self-module_handle = NULL;
}
return (PyObject *) self;
@@ -496,12 +498,12 @@ static int P11_Helper_init(P11_Helper *self, PyObject
*args, PyObject *kwds) {
CK_C_GetFunctionList pGetFunctionList = loadLibrary(library_path,
module_handle);
if (!pGetFunctionList) {
-if (module_handle != NULL)
-unloadLibrary(module_handle);
PyErr_SetString(ipap11helperError, Could not load the library.);
return -1;
}
+self-module_handle = module_handle;
+
/*
* Load the function list
*/
@@ -567,9 +569,12 @@ P11_Helper_finalize(P11_Helper* self) {
*/
self-p11-C_Finalize(NULL);
+unloadLibrary(self-module_handle);
+
self-p11 = NULL;
self-session = 0;
self-slot = 0;
+self-module_handle = NULL;
return Py_None;
}
ACK.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Tue, 11 Nov 2014, Jan Cholasta wrote: Dne 10.11.2014 v 19:25 Jan Cholasta napsal(a): Hi, the attached patches provide additional fixes for https://fedorahosted.org/freeipa/ticket/4651. I'm not 100% sure if the fixes for ipa-sam and ipa-kdb are correct, please check them carefully. Honza Changed the ticket to https://fedorahosted.org/freeipa/ticket/4713. Updated patches attached. I think I've ACKed all individual patches. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
Dne 25.11.2014 v 09:19 Alexander Bokovoy napsal(a): On Tue, 11 Nov 2014, Jan Cholasta wrote: Dne 10.11.2014 v 19:25 Jan Cholasta napsal(a): Hi, the attached patches provide additional fixes for https://fedorahosted.org/freeipa/ticket/4651. I'm not 100% sure if the fixes for ipa-sam and ipa-kdb are correct, please check them carefully. Honza Changed the ticket to https://fedorahosted.org/freeipa/ticket/4713. Updated patches attached. I think I've ACKed all individual patches. Thanks for the review. Pushed to: master: d55936756d9593bb1c713dc4c1edd251a112c619 ipa-4-1: 94bc7a9431c3e44c4e0dcf84fbb0f0613ec86600 -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Mon, 10 Nov 2014, Jan Cholasta wrote:
From 63846b20707b194d0be635fa086fbbe463561d02 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:59 +
Subject: [PATCH 5/7] Fix unchecked return values in ipa-winsync
https://fedorahosted.org/freeipa/ticket/4651
ACK
---
.../ipa-winsync/ipa-winsync-config.c | 40 +++---
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
index 65ceaea..8b62aed 100644
--- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
+++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
@@ -905,9 +905,9 @@ ipa_winsync_config_refresh_domain(
if (!iwdc-realm_name) {
/* error - could not find the IPA config entry with the realm name */
-LOG_FATAL(Error: could not find the entry containing the realm name for
- ds subtree [%s] filter [%s] attr [%s]\n,
- slapi_sdn_get_dn(ds_subtree), realm_filter, realm_attr);
+LOG_FATAL(Error: could not find the entry containing the realm name
+ [%d] ds subtree [%s] filter [%s] attr [%s]\n,
+ ret, slapi_sdn_get_dn(ds_subtree), realm_filter, realm_attr);
goto out;
}
@@ -918,9 +918,9 @@ ipa_winsync_config_refresh_domain(
new_user_objclasses, NULL);
if (!new_user_objclasses) {
/* error - could not find the entry containing list of objectclasses */
-LOG_FATAL(Error: could not find the entry containing the new user
objectclass list for
- ds subtree [%s] filter [%s] attr [%s]\n,
- slapi_sdn_get_dn(ds_subtree), new_entry_filter,
new_user_oc_attr);
+LOG_FATAL(Error: could not find the entry containing the new user
objectclass list
+ [%d] ds subtree [%s] filter [%s] attr [%s]\n,
+ ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter,
new_user_oc_attr);
goto out;
}
@@ -933,9 +933,9 @@ ipa_winsync_config_refresh_domain(
NULL, iwdc-homedir_prefix);
if (!iwdc-homedir_prefix) {
/* error - could not find the home dir prefix */
-LOG_FATAL(Error: could not find the entry containing the home directory
prefix for
- ds subtree [%s] filter [%s] attr [%s]\n,
- slapi_sdn_get_dn(ds_subtree), new_entry_filter,
homedir_prefix_attr);
+LOG_FATAL(Error: could not find the entry containing the home directory
prefix
+ [%d] ds subtree [%s] filter [%s] attr [%s]\n,
+ ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter,
homedir_prefix_attr);
goto out;
}
@@ -950,8 +950,8 @@ ipa_winsync_config_refresh_domain(
NULL, iwdc-login_shell);
if (!iwdc-login_shell) {
LOG(Warning: could not find the entry containing the login shell
-attribute for ds subtree [%s] filter [%s] attr [%s]\n,
-slapi_sdn_get_dn(ds_subtree), new_entry_filter,
+attribute [%d] ds subtree [%s] filter [%s] attr [%s]\n,
+ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter,
login_shell_attr);
}
}
@@ -969,9 +969,9 @@ ipa_winsync_config_refresh_domain(
NULL, default_group_name);
if (!default_group_name) {
/* error - could not find the default group name */
-LOG_FATAL(Error: could not find the entry containing the default group
name for
- ds subtree [%s] filter [%s] attr [%s]\n,
- slapi_sdn_get_dn(ds_subtree), new_entry_filter,
default_group_attr);
+LOG_FATAL(Error: could not find the entry containing the default group
name
+ [%d] ds subtree [%s] filter [%s] attr [%s]\n,
+ ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter,
default_group_attr);
goto out;
}
@@ -1014,9 +1014,9 @@ ipa_winsync_config_refresh_domain(
NULL, inactivated_group_dn);
if (!inactivated_group_dn) {
/* error - could not find the inactivated group dn */
-LOG(Could not find the DN of the inactivated users group ds
-subtree [%s] filter [%s]. Ignoring\n,
-slapi_sdn_get_dn(ds_subtree), inactivated_filter);
+LOG(Could not find the DN of the inactivated users group
+[%d] ds subtree [%s] filter [%s]. Ignoring\n,
+ret, slapi_sdn_get_dn(ds_subtree), inactivated_filter);
goto out;
}
}
@@ -1026,9 +1026,9 @@ ipa_winsync_config_refresh_domain(
NULL,
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Mon, 10 Nov 2014, Jan Cholasta wrote:
From 5cfc5d50ef7d2e42f10488ddf0d11fa405a8cb84 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:12:02 +
Subject: [PATCH 6/7] Fix unchecked return value in ipa-join
https://fedorahosted.org/freeipa/ticket/4651
---
ipa-client/ipa-join.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index 46f6457..ac8251f 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -208,8 +208,11 @@ connect_ldap(const char *hostname, const char *binddn,
const char *bindpw) {
struct berval bindpw_bv;
if (debug) {
-ldapdebug=2;
+ldapdebug = 2;
ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, ldapdebug);
+if (ret != LDAP_OPT_SUCCESS) {
+goto fail;
+}
}
if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) !=
LDAP_OPT_SUCCESS)
ACK
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Mon, 10 Nov 2014, Jan Cholasta wrote:
From 4e4600da5cd9c42b76a56cdbdb4c1314ee7b0a2a Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:12:52 +
Subject: [PATCH 7/7] Fix unchecked return value in krb5 common utils
https://fedorahosted.org/freeipa/ticket/4651
---
util/ipa_krb5.c | 4
1 file changed, 4 insertions(+)
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index 6334ed3..feb23ea 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -730,6 +730,10 @@ struct berval *create_key_control(struct keys_container
*keys,
if (ksdata[i].salttype == NO_SALT) {
ret = ber_printf(be, });
+if (ret == -1) {
+ber_free(be, 1);
+return NULL;
+}
continue;
}
ACK
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Tue, 18 Nov 2014, Jan Cholasta wrote:
Dne 12.11.2014 v 08:58 Petr Spacek napsal(a):
On 11.11.2014 12:27, Jan Cholasta wrote:
Dne 11.11.2014 v 11:40 Alexander Bokovoy napsal(a):
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context
context,
ipactx-kdc_hostname,
strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+if (kerr != 0 kerr != ENOENT) {
+goto done;
+}
}
}
I'm not sure we should drop the sign_authdata request here. If we were
able to re-initialize our view of trusted domains, we simply cannot
re-sign incoming PAC but this is handled in ipadb_verify_pac() and
ipadb_sign_pac() and if the former returns NULL value for PAC, we exit
with a return code of 0 while this change will fail a cross-realm TGT
request unconditionally.
OK, what would be a proper fix? Just ignore the return value of
ipadb_reinit_mspac here?
Guys, I did not see the code but all instances of ignore return code I have
seen were wrong, including cases where code comment explicitly said we ignore
return code on purpose :-)
At least log an error message if you can't think of anything better ...
I don't disagree, if that's the proper fix.
Alexander, or someone else, could you please finish the review of the
patches? Thanks.
I've ACKed other patches but I'm not going to accept this patch. Rest is
fine.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
Dne 24.11.2014 v 14:44 Alexander Bokovoy napsal(a):
On Tue, 18 Nov 2014, Jan Cholasta wrote:
Dne 12.11.2014 v 08:58 Petr Spacek napsal(a):
On 11.11.2014 12:27, Jan Cholasta wrote:
Dne 11.11.2014 v 11:40 Alexander Bokovoy napsal(a):
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00
2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code
ipadb_sign_authdata(krb5_context
context,
ipactx-kdc_hostname,
strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+if (kerr != 0 kerr != ENOENT) {
+goto done;
+}
}
}
I'm not sure we should drop the sign_authdata request here. If we were
able to re-initialize our view of trusted domains, we simply cannot
re-sign incoming PAC but this is handled in ipadb_verify_pac() and
ipadb_sign_pac() and if the former returns NULL value for PAC, we exit
with a return code of 0 while this change will fail a cross-realm TGT
request unconditionally.
OK, what would be a proper fix? Just ignore the return value of
ipadb_reinit_mspac here?
Guys, I did not see the code but all instances of ignore return
code I have
seen were wrong, including cases where code comment explicitly said
we ignore
return code on purpose :-)
At least log an error message if you can't think of anything better ...
I don't disagree, if that's the proper fix.
Alexander, or someone else, could you please finish the review of the
patches? Thanks.
I've ACKed other patches but I'm not going to accept this patch. Rest is
fine.
That's fine with me, but I'm still going to need a little hint on how
this should in fact be fixed.
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
Dne 11.11.2014 v 11:13 Jan Cholasta napsal(a):
Dne 10.11.2014 v 19:25 Jan Cholasta napsal(a):
Hi,
the attached patches provide additional fixes for
https://fedorahosted.org/freeipa/ticket/4651.
I'm not 100% sure if the fixes for ipa-sam and ipa-kdb are correct,
please check them carefully.
Honza
Changed the ticket to https://fedorahosted.org/freeipa/ticket/4713.
Updated patches attached.
Attaching additional patch for an issue that popped up recently.
--
Jan Cholasta
From fef20b5966b4a49cc8c230437cf8f06899b51840 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 24 Nov 2014 13:57:10 +
Subject: [PATCH] Fix memory leak in GetKeytabControl asn1 code
https://fedorahosted.org/freeipa/ticket/4713
---
asn1/ipa_asn1.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/asn1/ipa_asn1.c b/asn1/ipa_asn1.c
index 50851a8..9efca96 100644
--- a/asn1/ipa_asn1.c
+++ b/asn1/ipa_asn1.c
@@ -77,12 +77,12 @@ bool ipaasn1_enc_getktreply(int kvno, struct keys_container *keys,
{
GetKeytabControl_t gkctrl = { 0 };
bool ret = false;
+KrbKey_t *KK;
gkctrl.present = GetKeytabControl_PR_reply;
gkctrl.choice.reply.newkvno = kvno;
for (int i = 0; i keys-nkeys; i++) {
-KrbKey_t *KK;
KK = calloc(1, sizeof(KrbKey_t));
if (!KK) goto done;
KK-key.type = keys-ksdata[i].key.enctype;
@@ -109,9 +109,18 @@ bool ipaasn1_enc_getktreply(int kvno, struct keys_container *keys,
}
ret = encode_GetKeytabControl(gkctrl, buf, len);
+KK = NULL;
done:
ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GetKeytabControl, gkctrl);
+if (KK) {
+free(KK-key.value.buf);
+if (KK-salt) {
+free(KK-salt-value.buf);
+free(KK-salt);
+}
+free(KK);
+}
return ret;
}
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Mon, 24 Nov 2014, Jan Cholasta wrote:
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code
ipadb_sign_authdata(krb5_context
context,
ipactx-kdc_hostname,
strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+if (kerr != 0 kerr != ENOENT) {
+goto done;
+}
}
}
I'm not sure we should drop the sign_authdata request here. If we were
able to re-initialize our view of trusted domains, we simply cannot
re-sign incoming PAC but this is handled in ipadb_verify_pac() and
ipadb_sign_pac() and if the former returns NULL value for PAC, we exit
with a return code of 0 while this change will fail a cross-realm TGT
request unconditionally.
OK, what would be a proper fix? Just ignore the return value of
ipadb_reinit_mspac here?
Guys, I did not see the code but all instances of ignore return
code I have
seen were wrong, including cases where code comment explicitly said
we ignore
return code on purpose :-)
At least log an error message if you can't think of anything better ...
I don't disagree, if that's the proper fix.
Alexander, or someone else, could you please finish the review of the
patches? Thanks.
I've ACKed other patches but I'm not going to accept this patch. Rest is
fine.
That's fine with me, but I'm still going to need a little hint on how
this should in fact be fixed.
Right. My main issue is that the change in this patch actually changes
the flow for signing MS-PAC in case we were unable to retrieve our
defaults. We need to ignore the return code of ipadb_reinit_mspac() here
because we are simply not going to add MS PAC with our signature, not
fully denying getting the ticket (that check is in a separate place)
because this affects also our realm's principals. Consider a case when
ipa-adtrust-install wasn't even run, this is where we'll get non-working
MS-PAC defaults and we silently drop the MS-PAC signing.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
Dne 12.11.2014 v 08:58 Petr Spacek napsal(a):
On 11.11.2014 12:27, Jan Cholasta wrote:
Dne 11.11.2014 v 11:40 Alexander Bokovoy napsal(a):
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context
context,
ipactx-kdc_hostname,
strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+if (kerr != 0 kerr != ENOENT) {
+goto done;
+}
}
}
I'm not sure we should drop the sign_authdata request here. If we were
able to re-initialize our view of trusted domains, we simply cannot
re-sign incoming PAC but this is handled in ipadb_verify_pac() and
ipadb_sign_pac() and if the former returns NULL value for PAC, we exit
with a return code of 0 while this change will fail a cross-realm TGT
request unconditionally.
OK, what would be a proper fix? Just ignore the return value of
ipadb_reinit_mspac here?
Guys, I did not see the code but all instances of ignore return code I have
seen were wrong, including cases where code comment explicitly said we ignore
return code on purpose :-)
At least log an error message if you can't think of anything better ...
I don't disagree, if that's the proper fix.
Alexander, or someone else, could you please finish the review of the
patches? Thanks.
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
Dne 10.11.2014 v 19:25 Jan Cholasta napsal(a):
Hi,
the attached patches provide additional fixes for
https://fedorahosted.org/freeipa/ticket/4651.
I'm not 100% sure if the fixes for ipa-sam and ipa-kdb are correct,
please check them carefully.
Honza
Changed the ticket to https://fedorahosted.org/freeipa/ticket/4713.
Updated patches attached.
--
Jan Cholasta
From c2a03a9e062df5691431babeb55119dbda6b2c67 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:20:18 +
Subject: [PATCH 1/7] Remove redefinition of LOG from ipa-otp-lasttoken
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
index d20fca1..15b404d 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
@@ -47,9 +47,6 @@
#include util.h
#define PLUGIN_NAME ipa-otp-lasttoken
-#define LOG(sev, ...) \
-slapi_log_error(SLAPI_LOG_ ## sev, PLUGIN_NAME, \
-%s: %s\n, __func__, __VA_ARGS__), -1
static void *plugin_id;
static const Slapi_PluginDesc preop_desc = {
--
2.1.0
From 10b309f53852665050465df8aa44290dfe232291 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:33:23 +
Subject: [PATCH 2/7] Unload P11_Helper object's library when it is finalized
in ipap11helper
https://fedorahosted.org/freeipa/ticket/4713
---
ipapython/ipap11helper/library.c | 5 +
ipapython/ipap11helper/p11helper.c | 9 +++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/ipapython/ipap11helper/library.c b/ipapython/ipap11helper/library.c
index 51e24eb..619604d 100644
--- a/ipapython/ipap11helper/library.c
+++ b/ipapython/ipap11helper/library.c
@@ -70,6 +70,11 @@ CK_C_GetFunctionList loadLibrary(char* module, void** moduleHandle)
// Retrieve the entry point for C_GetFunctionList
pGetFunctionList = (CK_C_GetFunctionList) dlsym(pDynLib, C_GetFunctionList);
+ if (pGetFunctionList == NULL)
+ {
+ dlclose(pDynLib);
+ return NULL;
+ }
// Store the handle so we can dlclose it later
*moduleHandle = pDynLib;
diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c
index 038c26c..558185e 100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -66,6 +66,7 @@ PyObject_HEAD
CK_SLOT_ID slot;
CK_FUNCTION_LIST_PTR p11;
CK_SESSION_HANDLE session;
+void *module_handle;
} P11_Helper;
typedef enum {
@@ -478,6 +479,7 @@ P11_Helper_new(PyTypeObject *type, PyObject *args, PyObject *kwds) {
self-slot = 0;
self-session = 0;
self-p11 = NULL;
+self-module_handle = NULL;
}
return (PyObject *) self;
@@ -496,12 +498,12 @@ static int P11_Helper_init(P11_Helper *self, PyObject *args, PyObject *kwds) {
CK_C_GetFunctionList pGetFunctionList = loadLibrary(library_path,
module_handle);
if (!pGetFunctionList) {
-if (module_handle != NULL)
-unloadLibrary(module_handle);
PyErr_SetString(ipap11helperError, Could not load the library.);
return -1;
}
+self-module_handle = module_handle;
+
/*
* Load the function list
*/
@@ -567,9 +569,12 @@ P11_Helper_finalize(P11_Helper* self) {
*/
self-p11-C_Finalize(NULL);
+unloadLibrary(self-module_handle);
+
self-p11 = NULL;
self-session = 0;
self-slot = 0;
+self-module_handle = NULL;
return Py_None;
}
--
2.1.0
From 7ca2b25b93f1e3bff1e4c54ef1794cad462e533a Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:40:35 +
Subject: [PATCH 3/7] Fix Kerberos error handling in ipa-sam
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-sam/ipa_sam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 3b69f9e..e711299 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -4233,7 +4233,7 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
krb5_free_principal(data.context, in_creds.server);
krb5_free_principal(data.context, in_creds.client);
- if (rc) {
+ if (rc != 0 rc != KRB5KRB_AP_ERR_TKT_NYV rc != KRB5KRB_AP_ERR_TKT_EXPIRED) {
rc = bind_callback_obtain_creds(data);
if (rc) {
bind_callback_cleanup(data, rc);
--
2.1.0
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 7ca2b25b93f1e3bff1e4c54ef1794cad462e533a Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:40:35 +
Subject: [PATCH 3/7] Fix Kerberos error handling in ipa-sam
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-sam/ipa_sam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 3b69f9e..e711299 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -4233,7 +4233,7 @@ static int bind_callback(LDAP *ldap_struct, struct
smbldap_state *ldap_state, vo
krb5_free_principal(data.context, in_creds.server);
krb5_free_principal(data.context, in_creds.client);
- if (rc) {
+ if (rc != 0 rc != KRB5KRB_AP_ERR_TKT_NYV rc !=
KRB5KRB_AP_ERR_TKT_EXPIRED) {
rc = bind_callback_obtain_creds(data);
if (rc) {
bind_callback_cleanup(data, rc);
ACK
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
ipactx-kdc_hostname, strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+if (kerr != 0 kerr != ENOENT) {
+goto done;
+}
}
}
I'm not sure we should drop the sign_authdata request here. If we were
able to re-initialize our view of trusted domains, we simply cannot
re-sign incoming PAC but this is handled in ipadb_verify_pac() and
ipadb_sign_pac() and if the former returns NULL value for PAC, we exit
with a return code of 0 while this change will fail a cross-realm TGT
request unconditionally.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
Dne 11.11.2014 v 11:40 Alexander Bokovoy napsal(a):
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context
context,
ipactx-kdc_hostname,
strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+if (kerr != 0 kerr != ENOENT) {
+goto done;
+}
}
}
I'm not sure we should drop the sign_authdata request here. If we were
able to re-initialize our view of trusted domains, we simply cannot
re-sign incoming PAC but this is handled in ipadb_verify_pac() and
ipadb_sign_pac() and if the former returns NULL value for PAC, we exit
with a return code of 0 while this change will fail a cross-realm TGT
request unconditionally.
OK, what would be a proper fix? Just ignore the return value of
ipadb_reinit_mspac here?
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On 11.11.2014 12:27, Jan Cholasta wrote:
Dne 11.11.2014 v 11:40 Alexander Bokovoy napsal(a):
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context
context,
ipactx-kdc_hostname,
strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+if (kerr != 0 kerr != ENOENT) {
+goto done;
+}
}
}
I'm not sure we should drop the sign_authdata request here. If we were
able to re-initialize our view of trusted domains, we simply cannot
re-sign incoming PAC but this is handled in ipadb_verify_pac() and
ipadb_sign_pac() and if the former returns NULL value for PAC, we exit
with a return code of 0 while this change will fail a cross-realm TGT
request unconditionally.
OK, what would be a proper fix? Just ignore the return value of
ipadb_reinit_mspac here?
Guys, I did not see the code but all instances of ignore return code I have
seen were wrong, including cases where code comment explicitly said we ignore
return code on purpose :-)
At least log an error message if you can't think of anything better ...
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
Hi,
the attached patches provide additional fixes for
https://fedorahosted.org/freeipa/ticket/4651.
I'm not 100% sure if the fixes for ipa-sam and ipa-kdb are correct,
please check them carefully.
Honza
--
Jan Cholasta
From a195644143042a0161de81472646f41f503ffe48 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:20:18 +
Subject: [PATCH 1/7] Remove redefinition of LOG from ipa-otp-lasttoken
https://fedorahosted.org/freeipa/ticket/4651
---
daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
index d20fca1..15b404d 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
@@ -47,9 +47,6 @@
#include util.h
#define PLUGIN_NAME ipa-otp-lasttoken
-#define LOG(sev, ...) \
-slapi_log_error(SLAPI_LOG_ ## sev, PLUGIN_NAME, \
-%s: %s\n, __func__, __VA_ARGS__), -1
static void *plugin_id;
static const Slapi_PluginDesc preop_desc = {
--
2.1.0
From b5800224806278ed0d1a165acbe7a12fdd74fbf6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:33:23 +
Subject: [PATCH 2/7] Unload P11_Helper object's library when it is finalized
in ipap11helper
https://fedorahosted.org/freeipa/ticket/4651
---
ipapython/ipap11helper/library.c | 5 +
ipapython/ipap11helper/p11helper.c | 9 +++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/ipapython/ipap11helper/library.c b/ipapython/ipap11helper/library.c
index 51e24eb..619604d 100644
--- a/ipapython/ipap11helper/library.c
+++ b/ipapython/ipap11helper/library.c
@@ -70,6 +70,11 @@ CK_C_GetFunctionList loadLibrary(char* module, void** moduleHandle)
// Retrieve the entry point for C_GetFunctionList
pGetFunctionList = (CK_C_GetFunctionList) dlsym(pDynLib, C_GetFunctionList);
+ if (pGetFunctionList == NULL)
+ {
+ dlclose(pDynLib);
+ return NULL;
+ }
// Store the handle so we can dlclose it later
*moduleHandle = pDynLib;
diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c
index 038c26c..558185e 100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -66,6 +66,7 @@ PyObject_HEAD
CK_SLOT_ID slot;
CK_FUNCTION_LIST_PTR p11;
CK_SESSION_HANDLE session;
+void *module_handle;
} P11_Helper;
typedef enum {
@@ -478,6 +479,7 @@ P11_Helper_new(PyTypeObject *type, PyObject *args, PyObject *kwds) {
self-slot = 0;
self-session = 0;
self-p11 = NULL;
+self-module_handle = NULL;
}
return (PyObject *) self;
@@ -496,12 +498,12 @@ static int P11_Helper_init(P11_Helper *self, PyObject *args, PyObject *kwds) {
CK_C_GetFunctionList pGetFunctionList = loadLibrary(library_path,
module_handle);
if (!pGetFunctionList) {
-if (module_handle != NULL)
-unloadLibrary(module_handle);
PyErr_SetString(ipap11helperError, Could not load the library.);
return -1;
}
+self-module_handle = module_handle;
+
/*
* Load the function list
*/
@@ -567,9 +569,12 @@ P11_Helper_finalize(P11_Helper* self) {
*/
self-p11-C_Finalize(NULL);
+unloadLibrary(self-module_handle);
+
self-p11 = NULL;
self-session = 0;
self-slot = 0;
+self-module_handle = NULL;
return Py_None;
}
--
2.1.0
From 26d61f0284dba1ac98ae02260536772465da8819 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:40:35 +
Subject: [PATCH 3/7] Fix Kerberos error handling in ipa-sam
https://fedorahosted.org/freeipa/ticket/4651
---
daemons/ipa-sam/ipa_sam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 3b69f9e..e711299 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -4233,7 +4233,7 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
krb5_free_principal(data.context, in_creds.server);
krb5_free_principal(data.context, in_creds.client);
- if (rc) {
+ if (rc != 0 rc != KRB5KRB_AP_ERR_TKT_NYV rc != KRB5KRB_AP_ERR_TKT_EXPIRED) {
rc = bind_callback_obtain_creds(data);
if (rc) {
bind_callback_cleanup(data, rc);
--
2.1.0
From 6a386daa320c0db9c47709330d793881bda3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4651
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
---
