Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
8304136: Match allocation and free in sspi.cpp
Reviewed-by: djelinski
  • Loading branch information
wangweij committed Mar 24, 2023
1 parent 3f59b75 commit 765a942
Showing 1 changed file with 29 additions and 20 deletions.
49 changes: 29 additions & 20 deletions src/java.security.jgss/windows/native/libsspi_bridge/sspi.cpp
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2019, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2019, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -281,7 +281,13 @@ get_full_name(WCHAR* input)
continue;
}
if (input[i] == L'@') {
return _wcsdup(input);
size_t newlen = wcslen(input) + 1;
WCHAR* result = new WCHAR[newlen];
if (!result) {
return NULL;
}
wcscpy_s(result, newlen, input);
return result;
}
}

Expand Down Expand Up @@ -539,7 +545,7 @@ gss_export_name(OM_uint32 *minor_status,
// We only deal with not-so-long names.
// 04 01 00 ** 06 ** OID len:int32 name
int mechLen = KRB5_OID.length;
char* buffer = new char[10 + mechLen + len];
char* buffer = (char*) malloc(10 + mechLen + len);
if (buffer == NULL) {
goto err;
}
Expand All @@ -555,7 +561,7 @@ gss_export_name(OM_uint32 *minor_status,
len = WideCharToMultiByte(CP_UTF8, 0, fullname, len,
buffer+10+mechLen, len, NULL, NULL);
if (len == 0) {
delete[] buffer;
free(buffer);
goto err;
}
exported_name->length = 10 + mechLen + len;
Expand All @@ -580,13 +586,13 @@ gss_display_name(OM_uint32 *minor_status,

SEC_WCHAR* names = input_name->name;
int len = (int)wcslen(names);
char* buffer = new char[4*len+1];
char* buffer = (char*) malloc(4*len+1);
if (buffer == NULL) {
return GSS_S_FAILURE;
}
len = WideCharToMultiByte(CP_UTF8, 0, names, len, buffer, 4*len, NULL, NULL);
if (len == 0) {
delete[] buffer;
free(buffer);
return GSS_S_FAILURE;
}
buffer[len] = 0;
Expand Down Expand Up @@ -802,6 +808,7 @@ gss_inquire_cred(OM_uint32 *minor_status,
}
SEC_WCHAR* names = new SEC_WCHAR[lstrlen(snames.sUserName) + 1];
if (names == NULL) {
FreeContextBuffer(snames.sUserName);
return GSS_S_FAILURE;
}
StringCchCopy(names, lstrlen(snames.sUserName) + 1, snames.sUserName);
Expand Down Expand Up @@ -990,7 +997,7 @@ gss_init_sec_context(OM_uint32 *minor_status,
output_token->length = outSecBuff.cbBuffer;
if (outSecBuff.cbBuffer) {
// No idea how user would free the data. Let's duplicate one.
output_token->value = new char[outSecBuff.cbBuffer];
output_token->value = malloc(outSecBuff.cbBuffer);
if (!output_token->value) {
FreeContextBuffer(outSecBuff.pvBuffer);
goto err;
Expand All @@ -1012,13 +1019,13 @@ gss_init_sec_context(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
err:
if (newCred) {
delete newCred;
}
if (firstTime) {
OM_uint32 dummy;
gss_delete_sec_context(&dummy, context_handle, GSS_C_NO_BUFFER);
}
if (newCred) {
delete newCred;
}
if (output_token->value) {
gss_release_buffer(NULL, output_token);
}
Expand Down Expand Up @@ -1241,7 +1248,7 @@ gss_get_mic(OM_uint32 *minor_status,

secBuff[1].BufferType = SECBUFFER_TOKEN;
secBuff[1].cbBuffer = context_handle->SecPkgContextSizes.cbMaxSignature;
secBuff[1].pvBuffer = msg_token->value = new char[secBuff[1].cbBuffer];
secBuff[1].pvBuffer = msg_token->value = malloc(secBuff[1].cbBuffer);

if (!secBuff[1].pvBuffer) {
goto err;
Expand All @@ -1260,7 +1267,7 @@ gss_get_mic(OM_uint32 *minor_status,
msg_token->length = 0;
msg_token->value = NULL;
if (secBuff[1].pvBuffer) {
delete[] secBuff[1].pvBuffer;
free(secBuff[1].pvBuffer);
}
return GSS_S_FAILURE;
}
Expand Down Expand Up @@ -1324,19 +1331,19 @@ gss_wrap(OM_uint32 *minor_status,

SECURITY_STATUS ss;
SecBufferDesc buffDesc;
SecBuffer secBuff[3];
SecBuffer secBuff[3] = {0};

buffDesc.ulVersion = SECBUFFER_VERSION;
buffDesc.cBuffers = 3;
buffDesc.pBuffers = secBuff;

secBuff[0].BufferType = SECBUFFER_TOKEN;
secBuff[0].cbBuffer = context_handle->SecPkgContextSizes.cbSecurityTrailer;
output_message_buffer->value = secBuff[0].pvBuffer = malloc(
secBuff[0].pvBuffer = malloc(
context_handle->SecPkgContextSizes.cbSecurityTrailer
+ input_message_buffer->length
+ context_handle->SecPkgContextSizes.cbBlockSize);;
if (!output_message_buffer->value) {
if (!secBuff[0].pvBuffer) {
goto err;
}

Expand Down Expand Up @@ -1376,8 +1383,10 @@ gss_wrap(OM_uint32 *minor_status,
secBuff[2].pvBuffer,
secBuff[2].cbBuffer);

output_message_buffer->value = secBuff[0].pvBuffer;
output_message_buffer->length = secBuff[0].cbBuffer + secBuff[1].cbBuffer
+ secBuff[2].cbBuffer;

free(secBuff[1].pvBuffer);
free(secBuff[2].pvBuffer);

Expand Down Expand Up @@ -1413,7 +1422,7 @@ gss_unwrap(OM_uint32 *minor_status,

SECURITY_STATUS ss;
SecBufferDesc buffDesc;
SecBuffer secBuff[2];
SecBuffer secBuff[2] = {0};
ULONG ulQop = 0;

buffDesc.cBuffers = 2;
Expand Down Expand Up @@ -1445,7 +1454,7 @@ gss_unwrap(OM_uint32 *minor_status,

// Must allocate a new memory block so client can release it correctly
output_message_buffer->length = secBuff[1].cbBuffer;
output_message_buffer->value = new char[secBuff[1].cbBuffer];
output_message_buffer->value = malloc(secBuff[1].cbBuffer);

if (!output_message_buffer->value) {
goto err;
Expand Down Expand Up @@ -1595,7 +1604,7 @@ gss_display_status(OM_uint32 *minor_status,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
msg, 256, 0);
if (len > 0) {
status_string->value = new char[len + 20];
status_string->value = malloc(len + 20);
if (!status_string->value) {
status_string = GSS_C_NO_BUFFER;
return GSS_S_FAILURE;
Expand All @@ -1604,7 +1613,7 @@ gss_display_status(OM_uint32 *minor_status,
(LPSTR)status_string->value, len + 19,
"(%lx) %ls", status_value, msg);
} else {
status_string->value = new char[33];
status_string->value = malloc(33);
if (!status_string->value) {
status_string = GSS_C_NO_BUFFER;
return GSS_S_FAILURE;
Expand Down Expand Up @@ -1662,7 +1671,7 @@ gss_release_buffer(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
if (buffer->value) {
delete[] buffer->value;
free(buffer->value);
buffer->value = NULL;
}
buffer->length = 0;
Expand Down

1 comment on commit 765a942

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.