IPA: memory leak fixed

[alexey-tikhonov]

Result allocated by sss_base64_decode() on NULL context was never freed.

[gemini-code-assist]

Code Review

This pull request updates the memory context used for base64 decoding in get_extra_attrs to use resp_attrs->sysdb_attrs. Feedback highlights memory leaks in error paths where allocated resources like name and values are not freed, and suggests manual cleanup of decoded data to avoid memory accumulation within the request context.

[gemini-code-assist]

The error path when sss_base64_decode fails (line 659) leaks the memory allocated for name and values by ber_scanf. These resources should be explicitly freed before returning EINVAL. Note that a similar leak exists on the error path at line 653.

Additionally, while using resp_attrs->sysdb_attrs as a context prevents a permanent leak to the global context, it results in memory accumulation within the request context because sysdb_attrs_add_val_safe duplicates the data. For better efficiency, consider freeing v.data once it has been successfully added to the attributes.

                v.data = sss_base64_decode(resp_attrs->sysdb_attrs, values[c]->bv_val, &v.length);
                if (v.data == NULL) {
                    DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n");
                    ldap_memfree(name);
                    ber_bvecfree(values);
                    return EINVAL;
                }

[alexey-tikhonov]

For better efficiency, consider freeing v.data once it has been successfully added to the attributes.

That would be cumbersome because mem is allocated only for SYSDB_USER_CERT.

[sumit-bose]

Hi,

thank you for the fix, ACK.

bye,
Sumit

[alexey-tikhonov]

Failing test_kcm__tgt_renewal_updates_ticket_as_configured is a known flaky test.

[alexey-tikhonov]

/gemini review

[aplopez]

ACK.
Thanks.

[gemini-code-assist]

Code Review

This pull request fixes memory leaks in src/providers/ipa/ipa_s2n_exop.c by ensuring that name and values are properly freed in error paths. It also updates the memory context used for base64 decoding. A review comment suggests that using resp_attrs->sysdb_attrs as the context for sss_base64_decode may lead to memory accumulation because the data is copied later in the function, recommending that the decoded buffer be freed explicitly or handled via a temporary context.

[alexey-tikhonov]

@arrowd,
FreeBSD build started to fail with

  pkg: Repository FreeBSD-ports has a wrong packagesite, need to re-create database
  pkg: Repository FreeBSD-ports cannot be opened. 'pkg update' required
  pkg: No packages available to install matching 'autoconf' have been found in the repositories
  ...

Not sure if this is tmp infra issue or what...

[arrowd]

Yep, this is a problem on our side. Let's ignore FreeBSD failures in the CI for now until we fix our stuff.

[sssd-bot]

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

---

🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-44-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🔴 Build / freebsd (failure)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / intgcheck (fedora-45) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🔴 ci / system (fedora-44) (failure)
🔴 ci / system (fedora-45) (failure)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.