[Freeipa-devel] [PATCH] 0146: ipa-kdb: do not fetch client principal if it is the same

Alexander Bokovoy abokovoy at redhat.com
Thu Mar 6 08:32:44 UTC 2014 

Hi!

Attached patch should fix the issue raised by Sumit when reviewing my
patch 0145.

Additionally, it fixes reverted condition check for case when we didn't
find client_princ in the database, preventing a memory leak.

Martin, you wanted to create a bug for this, so I didn't add the ticket
reference.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From fca38b11008ff6eabed31d7d5ca0237c6b9740d0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Thu, 6 Mar 2014 10:26:29 +0200
Subject: [PATCH] ipa-kdb: do not fetch client principal if it is the same as
 existing entry

When client principal is the same as supplied client entry, don't fetch it
again.

Note that when client principal is not NULL, client entry might be NULL for
cross-realm case, so we need to make sure to not dereference NULL pointer here.

Also fix reverted condition for case when we didn't find the client principal
in the database, preventing a memory leak.
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 68f27f0..8481278 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2002,6 +2002,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     bool with_pad;
     int result;
     krb5_db_entry *client_entry = NULL;
+    krb5_boolean is_equal;
 
 
     is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
@@ -2012,12 +2013,18 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     if (client_princ != NULL) {
         ks_client_princ = client_princ;
         if (!is_as_req) {
-            kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
-            /* If we didn't find client_princ in our database, it might be:
-             * - a principal from another realm, handle it down in ipadb_get/verify_pac()
-             */
-            if (!kerr) {
-                client_entry = NULL;
+            is_equal = false;
+            if ((client != NULL) && (client->princ != NULL)) {
+                is_equal = krb5_principal_compare(context, client_princ, client->princ);
+            }
+            if (!is_equal) {
+                kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
+                /* If we didn't find client_princ in our database, it might be:
+                 * - a principal from another realm, handle it down in ipadb_get/verify_pac()
+                 */
+                if (kerr != 0) {
+                    client_entry = NULL;
+                }
             }
         }
     } else {
-- 
1.8.3.1

More information about the Freeipa-devel mailing list