KCM: Reduce the amount of memory allocated for the packages

Some packages are being allocated to their maximum size, even though all
that memory is not required. When the amount of memory needed is not know,
We reduce the amount of memory allocated to the initial size defined by
the KCM_PACKET_INITIAL_SIZE macro.

The existing KCM_REPLY_MAX was replaced by KCM_PACKET_MAX_SIZE.

Resolves: SSSD#7014

src/responder/kcm/kcmsrv_cmd.c

@@ -34,11 +34,6 @@
 /* The return code is 32bits */
 #define KCM_RETCODE_SIZE 4
 
-/* The maximum length of a request or reply as defined by the RPC
- * protocol. This is the same constant size as MIT KRB5 uses
- */
-#define KCM_PACKET_MAX_SIZE 10*1024*1024
-
 /* KCM operation, its raw input and raw output and result */
 struct kcm_op_io {
     struct kcm_op *op;

src/responder/kcm/kcmsrv_ops.c

@@ -32,11 +32,6 @@
 #include "responder/kcm/kcmsrv_ops.h"
 #include "responder/kcm/kcmsrv_ccache.h"
 
-/* This limit comes from:
- * https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
- */
-#define KCM_REPLY_MAX 10*1024*1024
-
 struct kcm_op_ctx {
     struct kcm_resp_ctx *kcm_data;
     struct kcm_conn_data *conn_data;
@@ -114,8 +109,8 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx,
     DEBUG(SSSDBG_TRACE_LIBS, "%zu bytes on KCM input\n", input->length);
 
     state->reply = sss_iobuf_init_empty(state,
-                                        KCM_REPLY_MAX,
-                                        KCM_REPLY_MAX);
+                                        KCM_PACKET_INITIAL_SIZE,
+                                        KCM_PACKET_MAX_SIZE);
     if (state->reply == NULL) {
         ret = ENOMEM;
         goto immediate;
@@ -159,8 +154,8 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx,
      */
     state->op_ctx->reply = sss_iobuf_init_empty(
                                         state,
-                                        KCM_REPLY_MAX - 2*sizeof(uint32_t),
-                                        KCM_REPLY_MAX - 2*sizeof(uint32_t));
+                                        KCM_PACKET_INITIAL_SIZE,
+                                        KCM_PACKET_MAX_SIZE - 2*sizeof(uint32_t));
     if (state->op_ctx->reply == NULL) {
         ret = ENOMEM;
         goto immediate;
@@ -879,7 +874,7 @@ static struct tevent_req *kcm_op_store_send(TALLOC_CTX *mem_ctx,
     DEBUG(SSSDBG_TRACE_LIBS, "Storing credentials for %s\n", name);
 
     creds_len = sss_iobuf_get_size(op_ctx->input) - strlen(name) -1;
-    if (creds_len > KCM_REPLY_MAX) {
+    if (creds_len > KCM_PACKET_MAX_SIZE) {
         /* Protects against underflows and in general adds sanity */
         ret = E2BIG;
         goto immediate;

src/responder/kcm/kcmsrv_ops.h

@@ -29,6 +29,19 @@
 #include "util/sss_iobuf.h"
 #include "responder/kcm/kcmsrv_pvt.h"
 
+/* The initial packet size, which can later be grown up to KCM_PACKET_MAX_SIZE.
+ * The initial size is a trade off that is expected to best serve most of the
+ * cases (typical credentials size).
+ */
+#define KCM_PACKET_INITIAL_SIZE 4096
+
+/* The maximum length of a request or reply as defined by the RPC
+ * protocol. This is the same constant size as MIT KRB5 uses
+ * This limit comes from:
+ * https://github.com/krb5/krb5/blob/c20251dafd6120fa08c76b19315cb9deb1a1b24e/src/lib/krb5/ccache/cc_kcm.c#L54
+ */
+#define KCM_PACKET_MAX_SIZE 10*1024*1024
+
 struct kcm_op;
 struct kcm_op *kcm_get_opt(uint16_t opcode);
 const char *kcm_opt_name(struct kcm_op *op);