sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

pam_smbpass: Wrap calls in talloc_stackframe() to avoid warnings about leaking memory

Browse Source 
Any code in source3 is permitted to use talloc_tos() at any point, so we must protect all the library interfaces
against memory leaks this way.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Andrew Bartlett 2014-04-01 17:01:26 +13:00 committed by Jeremy Allison
parent bc5bd4010e
commit 8f3a516acb
3 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
source3/pam_smbpass/pam_smb_acct.c
View File

@ -55,6 +55,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
const char *name; const char *name;
struct samu *sampass = NULL; struct samu *sampass = NULL;
void (*oldsig_handler)(int); void (*oldsig_handler)(int);
TALLOC_CTX *frame = talloc_stackframe();
/* Samba initialization. */ /* Samba initialization. */
load_case_tables_library(); load_case_tables_library();
@ -68,6 +69,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
if (on( SMB_DEBUG, ctrl )) { if (on( SMB_DEBUG, ctrl )) {
_log_err(pamh, LOG_DEBUG, "acct: could not identify user" ); _log_err(pamh, LOG_DEBUG, "acct: could not identify user" );
} }
TALLOC_FREE(frame);
return retval; return retval;
} }
if (on( SMB_DEBUG, ctrl )) { if (on( SMB_DEBUG, ctrl )) {
@ -76,6 +78,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
if (geteuid() != 0) { if (geteuid() != 0) {
_log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
TALLOC_FREE(frame);
return PAM_AUTHINFO_UNAVAIL; return PAM_AUTHINFO_UNAVAIL;
} }
@ -85,6 +88,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
if (!initialize_password_db(True, NULL)) { if (!initialize_password_db(True, NULL)) {
_log_err(pamh, LOG_ALERT, "Cannot access samba password database" ); _log_err(pamh, LOG_ALERT, "Cannot access samba password database" );
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return PAM_AUTHINFO_UNAVAIL; return PAM_AUTHINFO_UNAVAIL;
} }
@ -93,18 +97,21 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
if (!(sampass = samu_new( NULL ))) { if (!(sampass = samu_new( NULL ))) {
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
/* malloc fail. */ /* malloc fail. */
TALLOC_FREE(frame);
return nt_status_to_pam(NT_STATUS_NO_MEMORY); return nt_status_to_pam(NT_STATUS_NO_MEMORY);
} }
if (!pdb_getsampwnam(sampass, name )) { if (!pdb_getsampwnam(sampass, name )) {
_log_err(pamh, LOG_DEBUG, "acct: could not identify user"); _log_err(pamh, LOG_DEBUG, "acct: could not identify user");
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return PAM_USER_UNKNOWN; return PAM_USER_UNKNOWN;
} }
/* check for lookup failure */ /* check for lookup failure */
if (!strlen(pdb_get_username(sampass)) ) { if (!strlen(pdb_get_username(sampass)) ) {
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return PAM_USER_UNKNOWN; return PAM_USER_UNKNOWN;
} }
@ -118,12 +125,14 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
"please see your system administrator." ); "please see your system administrator." );
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return PAM_ACCT_EXPIRED; return PAM_ACCT_EXPIRED;
} }
/* TODO: support for expired passwords. */ /* TODO: support for expired passwords. */
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return PAM_SUCCESS; return PAM_SUCCESS;
} }

7
source3/pam_smbpass/pam_smb_auth.c
View File

@ -50,6 +50,7 @@ do { \
pam_set_data( pamh, "smb_setcred_return" \ pam_set_data( pamh, "smb_setcred_return" \
, (void *) ret_data, NULL ); \ , (void *) ret_data, NULL ); \
} \ } \
TALLOC_FREE(frame); \
return retval; \ return retval; \
} while (0) } while (0)
@ -75,6 +76,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
const char *name; const char *name;
void (*oldsig_handler)(int) = NULL; void (*oldsig_handler)(int) = NULL;
bool found; bool found;
TALLOC_CTX *frame = talloc_stackframe();
/* Points to memory managed by the PAM library. Do not free. */ /* Points to memory managed by the PAM library. Do not free. */
char *p = NULL; char *p = NULL;
@ -195,6 +197,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
char *msg_str = NULL; char *msg_str = NULL;
const char *pass = NULL; const char *pass = NULL;
int retval; int retval;
TALLOC_CTX *frame = talloc_stackframe();
/* Get the authtok; if we don't have one, silently fail. */ /* Get the authtok; if we don't have one, silently fail. */
retval = _pam_get_item( pamh, PAM_AUTHTOK, &pass ); retval = _pam_get_item( pamh, PAM_AUTHTOK, &pass );
@ -202,8 +205,10 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
if (retval != PAM_SUCCESS) { if (retval != PAM_SUCCESS) {
_log_err(pamh, LOG_ALERT _log_err(pamh, LOG_ALERT
, "pam_get_item returned error to pam_sm_authenticate" ); , "pam_get_item returned error to pam_sm_authenticate" );
TALLOC_FREE(frame);
return PAM_AUTHTOK_RECOVER_ERR; return PAM_AUTHTOK_RECOVER_ERR;
} else if (pass == NULL) { } else if (pass == NULL) {
TALLOC_FREE(frame);
return PAM_AUTHTOK_RECOVER_ERR; return PAM_AUTHTOK_RECOVER_ERR;
} }
@ -220,6 +225,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
SAFE_FREE(err_str); SAFE_FREE(err_str);
SAFE_FREE(msg_str); SAFE_FREE(msg_str);
TALLOC_FREE(frame);
return PAM_IGNORE; return PAM_IGNORE;
} else { } else {
/* mimick 'update encrypted' as long as the 'no pw req' flag is not set */ /* mimick 'update encrypted' as long as the 'no pw req' flag is not set */
@ -237,6 +243,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
SAFE_FREE(err_str); SAFE_FREE(err_str);
SAFE_FREE(msg_str); SAFE_FREE(msg_str);
pass = NULL; pass = NULL;
TALLOC_FREE(frame);
return PAM_IGNORE; return PAM_IGNORE;
} }

16
source3/pam_smbpass/pam_smb_passwd.c
View File

@ -103,6 +103,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
const char *user; const char *user;
char *pass_old; char *pass_old;
char *pass_new; char *pass_new;
TALLOC_CTX *frame = talloc_stackframe();
/* Samba initialization. */ /* Samba initialization. */
load_case_tables_library(); load_case_tables_library();
@ -119,6 +120,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
if (on( SMB_DEBUG, ctrl )) { if (on( SMB_DEBUG, ctrl )) {
_log_err(pamh, LOG_DEBUG, "password: could not identify user"); _log_err(pamh, LOG_DEBUG, "password: could not identify user");
} }
TALLOC_FREE(frame);
return retval; return retval;
} }
if (on( SMB_DEBUG, ctrl )) { if (on( SMB_DEBUG, ctrl )) {
@ -127,6 +129,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
if (geteuid() != 0) { if (geteuid() != 0) {
_log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
TALLOC_FREE(frame);
return PAM_AUTHINFO_UNAVAIL; return PAM_AUTHINFO_UNAVAIL;
} }
@ -137,19 +140,22 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
if (!initialize_password_db(False, NULL)) { if (!initialize_password_db(False, NULL)) {
_log_err(pamh, LOG_ALERT, "Cannot access samba password database" ); _log_err(pamh, LOG_ALERT, "Cannot access samba password database" );
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return PAM_AUTHINFO_UNAVAIL; return PAM_AUTHINFO_UNAVAIL;
} }
/* obtain user record */ /* obtain user record */
if ( !(sampass = samu_new( NULL )) ) { if ( !(sampass = samu_new( NULL )) ) {
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return nt_status_to_pam(NT_STATUS_NO_MEMORY); return nt_status_to_pam(NT_STATUS_NO_MEMORY);
} }
if (!pdb_getsampwnam(sampass,user)) { if (!pdb_getsampwnam(sampass,user)) {
_log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", user); _log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", user);
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
return PAM_USER_UNKNOWN; TALLOC_FREE(frame);
return PAM_USER_UNKNOWN;
} }
if (on( SMB_DEBUG, ctrl )) { if (on( SMB_DEBUG, ctrl )) {
_log_err(pamh, LOG_DEBUG, "Located account for %s", user); _log_err(pamh, LOG_DEBUG, "Located account for %s", user);
@ -167,6 +173,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
TALLOC_FREE(sampass); TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return PAM_SUCCESS; return PAM_SUCCESS;
} }
@ -179,6 +186,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
_log_err(pamh, LOG_CRIT, "password: out of memory"); _log_err(pamh, LOG_CRIT, "password: out of memory");
TALLOC_FREE(sampass); TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return PAM_BUF_ERR; return PAM_BUF_ERR;
} }
@ -192,6 +200,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
"password - (old) token not obtained"); "password - (old) token not obtained");
TALLOC_FREE(sampass); TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return retval; return retval;
} }
@ -207,6 +216,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
pass_old = NULL; pass_old = NULL;
TALLOC_FREE(sampass); TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return retval; return retval;
} else if (flags & PAM_UPDATE_AUTHTOK) { } else if (flags & PAM_UPDATE_AUTHTOK) {
@ -237,6 +247,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
_log_err(pamh, LOG_NOTICE, "password: user not authenticated"); _log_err(pamh, LOG_NOTICE, "password: user not authenticated");
TALLOC_FREE(sampass); TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return retval; return retval;
} }
@ -265,6 +276,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
pass_old = NULL; /* tidy up */ pass_old = NULL; /* tidy up */
TALLOC_FREE(sampass); TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return retval; return retval;
} }
@ -285,6 +297,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
pass_new = pass_old = NULL; /* tidy up */ pass_new = pass_old = NULL; /* tidy up */
TALLOC_FREE(sampass); TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return retval; return retval;
} }
@ -334,6 +347,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
TALLOC_FREE(sampass); TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, oldsig_handler); CatchSignal(SIGPIPE, oldsig_handler);
TALLOC_FREE(frame);
return retval; return retval;
} }