Fix princflags memory management

Fix some out of memory error cases (found by Coverity) that could cause multiple frees or freeing of invalid pointers. In krb5_flagnum_to_string(), don't assume that asprintf() stores a null pointer on failure (it does in BSD but not in glibc). In krb5_flags_to_strings(), free the correct pointer in the cleanup loop in on error. ticket: 8215
krb5 · Jul 16, 2015 · dd5f948 · dd5f948
1 parent 1c12dd5
commit dd5f948
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 8 deletions.
diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c
@@ -196,22 +196,24 @@ krb5_flagspec_to_mask(const char *spec, krb5_flags *toset, krb5_flags *toclear)
 }
 
 /*
- * Copy the flag name of flagnum to outstr.
+ * Copy the flag name of flagnum to outstr.  On error, outstr points to a null
+ * pointer.
  */
 krb5_error_code
 krb5_flagnum_to_string(int flagnum, char **outstr)
 {
     const char *s = NULL;
 
     *outstr = NULL;
-    if ((unsigned int)flagnum < NOUTFLAGS) {
+    if ((unsigned int)flagnum < NOUTFLAGS)
         s = outflags[flagnum];
-    }
-    if (s == NULL)
+    if (s == NULL) {
         /* Assume that krb5_flags are 32 bits long. */
-        asprintf(outstr, "0x%08lx", 1UL<<flagnum);
-    else
+        if (asprintf(outstr, "0x%08lx", 1UL << flagnum) == -1)
+            *outstr = NULL;
+    } else {
         *outstr = strdup(s);
+    }
     if (*outstr == NULL)
         return ENOMEM;
     return 0;
@@ -242,15 +244,15 @@ krb5_flags_to_strings(krb5_int32 flags, char ***outarray)
         }
         a = a_new;
         retval = krb5_flagnum_to_string(i, &a[amax++]);
+        a[amax] = NULL;
         if (retval)
             goto cleanup;
-        a[amax] = NULL;
     }
     *outarray = a;
     return 0;
 cleanup:
     for (ap = a; ap != NULL && *ap != NULL; ap++) {
-        free(ap);
+        free(*ap);
     }
     free(a);
     return retval;

diff --git a/src/tests/t_princflags.py b/src/tests/t_princflags.py
@@ -103,6 +103,18 @@ def one_aclcheck(ftuple, doset):
             fail('Failed to keep flag ' + outname + ' clear')
 
 
+# Set all flags simultaneously, even the ones that aren't defined yet.
+def lamptest():
+    pat = re.compile('^Attributes: ' +
+                     ' '.join(flags2namelist(0xffffffff)) +
+                     '$', re.MULTILINE)
+    realm.run([kadminl, 'ank', '-pw', 'password', '+0xffffffff', 'test'])
+    out = realm.run([kadminl, 'getprinc', 'test'])
+    if not pat.search(out):
+        fail('Failed to simultaenously set all flags')
+    realm.run([kadminl, 'delprinc', 'test'])
+
+
 for ftuple in kadmin_ftuples:
     one_kadmin_flag(ftuple)
 
@@ -122,5 +134,6 @@ def one_aclcheck(ftuple, doset):
     one_aclcheck(ftuple, True)
     one_aclcheck(ftuple, False)
 
+lamptest()
 
 success('KDB principal flags')