KRB5: Drop memctx parameter of krb5_try_kdcip

This function is not supposed to return any newly-allocated memory
directly. It was actually leaking the memory for krb5_servers if
krb5_kdcip was being used, though it was undetectable because it
was allocated on the provided memctx.

This patch removes the memctx parameter and allocates krb5_servers
temporarily on NULL and ensures that it is freed on all exit
conditions. It is not necessary to retain this memory, as
dp_opt_set_string() performs a talloc_strdup onto the appropriate
context internally.

It also updates the DEBUG messages for this function to the
appropriate new macro levels.

4 files changed, 17 insertions, 15 deletions

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index b816f9977..148a8b711 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -672,7 +672,7 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts,
 
     /* If there is no KDC, try the deprecated krb5_kdcip option, too */
     /* FIXME - this can be removed in a future version */
-    ret = krb5_try_kdcip(ipa_opts, cdb, conf_path, ipa_opts->auth, KRB5_KDC);
+    ret = krb5_try_kdcip(cdb, conf_path, ipa_opts->auth, KRB5_KDC);
     if (ret != EOK) {
         DEBUG(1, ("sss_krb5_try_kdcip failed.\n"));
         goto done;
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index d7586aa50..e06827018 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -221,9 +221,8 @@ errno_t check_and_export_options(struct dp_option *opts,
     return EOK;
 }
 
-errno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
-                       const char *conf_path, struct dp_option *opts,
-                       int opt_id)
+errno_t krb5_try_kdcip(struct confdb_ctx *cdb, const char *conf_path,
+                       struct dp_option *opts, int opt_id)
 {
     char *krb5_servers = NULL;
     errno_t ret;
@@ -231,7 +230,7 @@ errno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
     krb5_servers = dp_opt_get_string(opts, opt_id);
     if (krb5_servers == NULL) {
         DEBUG(4, ("No KDC found in configuration, trying legacy option\n"));
-        ret = confdb_get_string(cdb, memctx, conf_path,
+        ret = confdb_get_string(cdb, NULL, conf_path,
                                 "krb5_kdcip", NULL, &krb5_servers);
         if (ret != EOK) {
             DEBUG(1, ("confdb_get_string failed.\n"));
@@ -247,11 +246,15 @@ errno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
                 return ret;
             }
 
-            DEBUG(9, ("Set krb5 server [%s] based on legacy krb5_kdcip option\n",
-                      krb5_servers));
-            DEBUG(0, ("Your configuration uses the deprecated option 'krb5_kdcip' "
-                      "to specify the KDC. Please change the configuration to use "
-                      "the 'krb5_server' option instead.\n"));
+            DEBUG(SSSDBG_CONF_SETTINGS,
+                  ("Set krb5 server [%s] based on legacy krb5_kdcip option\n",
+                   krb5_servers));
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  ("Your configuration uses the deprecated option "
+                   "'krb5_kdcip' to specify the KDC. Please change the "
+                   "configuration to use the 'krb5_server' option "
+                   "instead.\n"));
+            talloc_free(krb5_servers);
         }
     }
 
@@ -279,7 +282,7 @@ errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
 
     /* If there is no KDC, try the deprecated krb5_kdcip option, too */
     /* FIXME - this can be removed in a future version */
-    ret = krb5_try_kdcip(memctx, cdb, conf_path, opts, KRB5_KDC);
+    ret = krb5_try_kdcip(cdb, conf_path, opts, KRB5_KDC);
     if (ret != EOK) {
         DEBUG(1, ("sss_krb5_try_kdcip failed.\n"));
         goto done;
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 029ebf6ed..ec4fc0509 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -137,9 +137,8 @@ errno_t check_and_export_options(struct dp_option *opts,
                                  struct sss_domain_info *dom,
                                  struct krb5_ctx *krb5_ctx);
 
-errno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
-                       const char *conf_path, struct dp_option *opts,
-                       int opt_id);
+errno_t krb5_try_kdcip(struct confdb_ctx *cdb, const char *conf_path,
+                       struct dp_option *opts, int opt_id);
 
 errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
                          const char *conf_path, struct dp_option **_opts);
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 64c06cd59..84857549c 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -289,7 +289,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
 
     /* If there is no KDC, try the deprecated krb5_kdcip option, too */
     /* FIXME - this can be removed in a future version */
-    ret = krb5_try_kdcip(memctx, cdb, conf_path, opts->basic, SDAP_KRB5_KDC);
+    ret = krb5_try_kdcip(cdb, conf_path, opts->basic, SDAP_KRB5_KDC);
     if (ret != EOK) {
         DEBUG(1, ("sss_krb5_try_kdcip failed.\n"));
         goto done;