Fix defcred leak in krb5 gss_inquire_cred()

Commit 1cd2821 altered the memory management of krb5_gss_inquire_cred(), introducing defcred to act as an owner pointer when the function must acquire a default credential. The commit neglected to update the code to release the default cred along the successful path. The old code does not trigger because cred_handle is now reassigned, so the default credential is leaked. Unify the success and failure cleanup for this function so that defcred is properly released on success. Reported by Pavel Březina. ticket: 9016 tags: pullup target_version: 1.19-next target_version: 1.18-next
krb5 · Jul 21, 2021 · 593e164 · 593e164
1 parent 65612e5
commit 593e164
Showing 1 changed file with 6 additions and 10 deletions.
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
@@ -127,7 +127,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
     if ((code = krb5_timeofday(context, &now))) {
         *minor_status = code;
         ret = GSS_S_FAILURE;
-        goto fail;
+        goto cleanup;
     }
 
     if (cred->expire != 0) {
@@ -158,7 +158,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
             *minor_status = code;
             save_error_info(*minor_status, context);
             ret = GSS_S_FAILURE;
-            goto fail;
+            goto cleanup;
         }
     }
 
@@ -174,7 +174,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
             if (ret_name)
                 kg_release_name(context, &ret_name);
             /* *minor_status set above */
-            goto fail;
+            goto cleanup;
         }
     }
 
@@ -190,20 +190,16 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
 
     if (cred_usage)
         *cred_usage = cred->usage;
-    k5_mutex_unlock(&cred->lock);
 
     if (mechanisms) {
         *mechanisms = mechs;
         mechs = GSS_C_NO_OID_SET;
     }
 
-    if (cred_handle == GSS_C_NO_CREDENTIAL)
-        krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
-
-    krb5_free_context(context);
     *minor_status = 0;
-    return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
-fail:
+    ret = (lifetime == 0) ? GSS_S_CREDENTIALS_EXPIRED : GSS_S_COMPLETE;
+
+cleanup:
     k5_mutex_unlock(&cred->lock);
     krb5_gss_release_cred(&tmpmin, &defcred);
     krb5_free_context(context);