8304136: Match allocation and free in sspi.cpp

wangweij · wangweij · commit 765a94258d84 · 2023-03-24T18:40:07.000Z
Reviewed-by: djelinski
diff --git a/src/java.security.jgss/windows/native/libsspi_bridge/sspi.cpp b/src/java.security.jgss/windows/native/libsspi_bridge/sspi.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -281,7 +281,13 @@ get_full_name(WCHAR* input)
             continue;
         }
         if (input[i] == L'@') {
-            return _wcsdup(input);
+            size_t newlen = wcslen(input) + 1;
+            WCHAR* result = new WCHAR[newlen];
+            if (!result) {
+                return NULL;
+            }
+            wcscpy_s(result, newlen, input);
+            return result;
         }
     }
 
@@ -539,7 +545,7 @@ gss_export_name(OM_uint32 *minor_status,
     // We only deal with not-so-long names.
     // 04 01 00 ** 06 ** OID len:int32 name
     int mechLen = KRB5_OID.length;
-    char* buffer = new char[10 + mechLen + len];
+    char* buffer = (char*) malloc(10 + mechLen + len);
     if (buffer == NULL) {
         goto err;
     }
@@ -555,7 +561,7 @@ gss_export_name(OM_uint32 *minor_status,
     len = WideCharToMultiByte(CP_UTF8, 0, fullname, len,
                 buffer+10+mechLen, len, NULL, NULL);
     if (len == 0) {
-        delete[] buffer;
+        free(buffer);
         goto err;
     }
     exported_name->length = 10 + mechLen + len;
@@ -580,13 +586,13 @@ gss_display_name(OM_uint32 *minor_status,
 
     SEC_WCHAR* names = input_name->name;
     int len = (int)wcslen(names);
-    char* buffer = new char[4*len+1];
+    char* buffer = (char*) malloc(4*len+1);
     if (buffer == NULL) {
         return GSS_S_FAILURE;
     }
     len = WideCharToMultiByte(CP_UTF8, 0, names, len, buffer, 4*len, NULL, NULL);
     if (len == 0) {
-        delete[] buffer;
+        free(buffer);
         return GSS_S_FAILURE;
     }
     buffer[len] = 0;
@@ -802,6 +808,7 @@ gss_inquire_cred(OM_uint32 *minor_status,
         }
         SEC_WCHAR* names = new SEC_WCHAR[lstrlen(snames.sUserName) + 1];
         if (names == NULL) {
+            FreeContextBuffer(snames.sUserName);
             return GSS_S_FAILURE;
         }
         StringCchCopy(names, lstrlen(snames.sUserName) + 1, snames.sUserName);
@@ -990,7 +997,7 @@ gss_init_sec_context(OM_uint32 *minor_status,
     output_token->length = outSecBuff.cbBuffer;
     if (outSecBuff.cbBuffer) {
         // No idea how user would free the data. Let's duplicate one.
-        output_token->value = new char[outSecBuff.cbBuffer];
+        output_token->value = malloc(outSecBuff.cbBuffer);
         if (!output_token->value) {
             FreeContextBuffer(outSecBuff.pvBuffer);
             goto err;
@@ -1012,13 +1019,13 @@ gss_init_sec_context(OM_uint32 *minor_status,
         return GSS_S_COMPLETE;
     }
 err:
-    if (newCred) {
-        delete newCred;
-    }
     if (firstTime) {
         OM_uint32 dummy;
         gss_delete_sec_context(&dummy, context_handle, GSS_C_NO_BUFFER);
     }
+    if (newCred) {
+        delete newCred;
+    }
     if (output_token->value) {
         gss_release_buffer(NULL, output_token);
     }
@@ -1241,7 +1248,7 @@ gss_get_mic(OM_uint32 *minor_status,
 
     secBuff[1].BufferType = SECBUFFER_TOKEN;
     secBuff[1].cbBuffer = context_handle->SecPkgContextSizes.cbMaxSignature;
-    secBuff[1].pvBuffer = msg_token->value = new char[secBuff[1].cbBuffer];
+    secBuff[1].pvBuffer = msg_token->value = malloc(secBuff[1].cbBuffer);
 
     if (!secBuff[1].pvBuffer) {
         goto err;
@@ -1260,7 +1267,7 @@ gss_get_mic(OM_uint32 *minor_status,
     msg_token->length = 0;
     msg_token->value = NULL;
     if (secBuff[1].pvBuffer) {
-        delete[] secBuff[1].pvBuffer;
+        free(secBuff[1].pvBuffer);
     }
     return GSS_S_FAILURE;
 }
@@ -1324,19 +1331,19 @@ gss_wrap(OM_uint32 *minor_status,
 
     SECURITY_STATUS ss;
     SecBufferDesc buffDesc;
-    SecBuffer secBuff[3];
+    SecBuffer secBuff[3] = {0};
 
     buffDesc.ulVersion = SECBUFFER_VERSION;
     buffDesc.cBuffers = 3;
     buffDesc.pBuffers = secBuff;
 
     secBuff[0].BufferType = SECBUFFER_TOKEN;
     secBuff[0].cbBuffer = context_handle->SecPkgContextSizes.cbSecurityTrailer;
-    output_message_buffer->value = secBuff[0].pvBuffer = malloc(
+    secBuff[0].pvBuffer = malloc(
             context_handle->SecPkgContextSizes.cbSecurityTrailer
                     + input_message_buffer->length
                     + context_handle->SecPkgContextSizes.cbBlockSize);;
-    if (!output_message_buffer->value) {
+    if (!secBuff[0].pvBuffer) {
         goto err;
     }
 
@@ -1376,8 +1383,10 @@ gss_wrap(OM_uint32 *minor_status,
             secBuff[2].pvBuffer,
             secBuff[2].cbBuffer);
 
+    output_message_buffer->value = secBuff[0].pvBuffer;
     output_message_buffer->length = secBuff[0].cbBuffer + secBuff[1].cbBuffer
             + secBuff[2].cbBuffer;
+
     free(secBuff[1].pvBuffer);
     free(secBuff[2].pvBuffer);
 
@@ -1413,7 +1422,7 @@ gss_unwrap(OM_uint32 *minor_status,
 
     SECURITY_STATUS ss;
     SecBufferDesc buffDesc;
-    SecBuffer secBuff[2];
+    SecBuffer secBuff[2] = {0};
     ULONG ulQop = 0;
 
     buffDesc.cBuffers = 2;
@@ -1445,7 +1454,7 @@ gss_unwrap(OM_uint32 *minor_status,
 
     // Must allocate a new memory block so client can release it correctly
     output_message_buffer->length = secBuff[1].cbBuffer;
-    output_message_buffer->value = new char[secBuff[1].cbBuffer];
+    output_message_buffer->value = malloc(secBuff[1].cbBuffer);
 
     if (!output_message_buffer->value) {
         goto err;
@@ -1595,7 +1604,7 @@ gss_display_status(OM_uint32 *minor_status,
             MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
             msg, 256, 0);
     if (len > 0) {
-        status_string->value = new char[len + 20];
+        status_string->value = malloc(len + 20);
         if (!status_string->value) {
             status_string = GSS_C_NO_BUFFER;
             return GSS_S_FAILURE;
@@ -1604,7 +1613,7 @@ gss_display_status(OM_uint32 *minor_status,
                 (LPSTR)status_string->value, len + 19,
                 "(%lx) %ls", status_value, msg);
     } else {
-        status_string->value = new char[33];
+        status_string->value = malloc(33);
         if (!status_string->value) {
             status_string = GSS_C_NO_BUFFER;
             return GSS_S_FAILURE;
@@ -1662,7 +1671,7 @@ gss_release_buffer(OM_uint32 *minor_status,
         return GSS_S_COMPLETE;
     }
     if (buffer->value) {
-        delete[] buffer->value;
+        free(buffer->value);
         buffer->value = NULL;
     }
     buffer->length = 0;
