#4236 prep_ksdata may leak memory
Closed: Fixed None Opened 8 years ago by mkosek.

Coverity issue 12455:

 780static int prep_ksdata(krb5_context krbctx, const char *str,
 781                       struct keys_container *keys,
 782                       char **err_msg)
 783{
 784    struct krb_key_salt *ksdata;
 785    krb5_error_code krberr;
 786    int n, i, j, nkeys;
 787
 788    *err_msg = NULL;
 789
        1. Condition str == NULL, taking false branch
 790    if (str == NULL) {
 791        krb5_enctype *ktypes;
 792
 793        krberr = krb5_get_permitted_enctypes(krbctx, &ktypes);
 794        if (krberr) {
 795            *err_msg = _("No system preferred enctypes ?!\n");
 796            return 0;
 797        }
 798
 799        for (n = 0; ktypes[n]; n++) /* count */ ;
 800
 801        ksdata = calloc(n + 1, sizeof(struct krb_key_salt));
 802        if (NULL == ksdata) {
 803            *err_msg = _("Out of memory!?\n");
 804            return 0;
 805        }
 806
 807        for (i = 0; i < n; i++) {
 808            ksdata[i].enctype = ktypes[i];
 809            ksdata[i].salttype = KRB5_KDB_SALTTYPE_NORMAL;
 810        }
 811
 812        ipa_krb5_free_ktypes(krbctx, ktypes);
 813
 814        nkeys = i;
 815
 816    } else {
 817        char *tmp, *t, *p, *q;
 818
        2. alloc_fn: Storage is returned from allocation function strdup.
        3. var_assign: Assigning: tmp = storage returned from strdup(str).
        4. var_assign: Assigning: t = tmp.
 819        t = tmp = strdup(str);
        5. Condition !tmp, taking false branch
 820        if (!tmp) {
 821            *err_msg = _("Out of memory\n");
 822            return 0;
 823        }
 824
 825        /* count */
 826        n = 0;
        6. noescape: Resource t is not freed or pointed-to in strchr.
        7. Condition p = strchr(t, 44), taking false branch
 827        while ((p = strchr(t, ','))) {
 828            t = p+1;
 829            n++;
 830        }
 831        n++; /* count the last one that is 0 terminated instead */
 832
 833        /* at the end we will have at most n entries + 1 terminating */
 834        ksdata = calloc(n + 1, sizeof(struct krb_key_salt));
        8. Condition !ksdata, taking true branch
 835        if (!ksdata) {
 836            *err_msg = _("Out of memory\n");
        9. leaked_storage: Variable t going out of scope leaks the storage it points to.

CID 12455 (#1 of 1): Resource leak (RESOURCE_LEAK)
10. leaked_storage: Variable tmp going out of scope leaks the storage it points to.
 837            return 0;
 838        }

Moving stabilization tickets that do not affect FreeIPA 4.0 release usability in any significant way to 4.0.1 stabilization milestone.

Metadata Update from @mkosek:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.0 - 2014/06

5 years ago

Login to comment on this ticket.

Metadata