URL: https://github.com/SSSD/sssd/pull/5453 Author: pbrezina Title: #5453: gssapi: default pam_gssapi_services to NULL in domain section Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5453/head:pr5453 git checkout pr5453
From 1e15e80d79bdc0ba34d8b238562e3baa890763ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <[email protected]> Date: Mon, 11 Jan 2021 13:11:39 +0100 Subject: [PATCH 1/2] gssapi: default pam_gssapi_services to NULL in domain section We need to distinguish when the option is not set in domain section and when it is is explicitly disabled. Now if it is not set, domain->gssapi_services is NULL and we'll use value from the pam section. Without this change, the value in the pam section is ignored. --- src/confdb/confdb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 2881ce5da7..befcfff2db 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1582,7 +1582,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES, - "-"); + NULL); if (tmp != NULL) { ret = split_on_separator(domain, tmp, ',', true, true, &domain->gssapi_services, NULL); From 558bfa79f0439d528c92cbe3dae2c6f6d600c12f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <[email protected]> Date: Tue, 12 Jan 2021 13:50:11 +0100 Subject: [PATCH 2/2] pam_sss_gssapi: fix coverity issues ``` 1. Defect type: RESOURCE_LEAK 7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:556: leaked_storage: Variable "username" going out of scope leaks the storage it points to. Expand 2. Defect type: RESOURCE_LEAK 3. sssd-2.4.0/src/sss_client/pam_sss_gss.c:321: leaked_storage: Variable "reply" going out of scope leaks the storage it points to. Expand 3. Defect type: RESOURCE_LEAK 7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "username" going out of scope leaks the storage it points to. Expand 4. Defect type: RESOURCE_LEAK 6. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "upn" going out of scope leaks the storage it points to. Expand 5. Defect type: RESOURCE_LEAK 7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "target" going out of scope leaks the storage it points to. Expand 6. Defect type: RESOURCE_LEAK 7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "domain" going out of scope leaks the storage it points to. 1. Defect type: CLANG_WARNING 1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'username' Expand 2. Defect type: CLANG_WARNING 1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'upn' Expand 3. Defect type: CLANG_WARNING 1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'target' Expand 4. Defect type: CLANG_WARNING 1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'domain' ``` --- src/sss_client/pam_sss_gss.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c index cd38db7da7..ea90e35c27 100644 --- a/src/sss_client/pam_sss_gss.c +++ b/src/sss_client/pam_sss_gss.c @@ -195,6 +195,8 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, struct sss_cli_req_data req_data; size_t service_len; size_t user_len; + size_t reply_len; + uint8_t *reply; uint8_t *data; errno_t ret; int ret_errno; @@ -217,7 +219,7 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, req_data.data = data; - ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, _reply, _reply_len, + ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, &reply, &reply_len, &ret_errno); free(data); if (ret != PAM_SUCCESS) { @@ -233,6 +235,16 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, return (ret_errno != EOK) ? ret_errno : EIO; } + if (ret_errno == EOK) { + *_reply = reply; + *_reply_len = reply_len; + } else { + /* We got PAM_SUCCESS therefore the communication with SSSD was + * successful and we have received a reply buffer. We just don't care + * about it, we are only interested in the error code. */ + free(reply); + } + return ret_errno; } @@ -257,7 +269,8 @@ static errno_t sssd_gssapi_init_recv(uint8_t *reply, target = malloc(reply_len * sizeof(char)); upn = malloc(reply_len * sizeof(char)); if (username == NULL || domain == NULL || target == NULL || upn == NULL) { - return ENOMEM; + ret = ENOMEM; + goto done; } buf = (const char*)reply; @@ -549,6 +562,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, done: sss_pam_close_fd(); + free(username); free(domain); free(target); free(upn);
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
