diff options
author | Pavel Březina <pbrezina@redhat.com> | 2017-04-03 12:56:01 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-04-03 15:37:27 +0200 |
commit | 05c2c3047912fca1c1a35ab1c8d3157b05383495 (patch) | |
tree | 01aad2c3240d13fc10134517617b9958ea4b6679 | |
parent | 84fecc2fd535030bc56b5046ba2a1ba95c46bc34 (diff) | |
download | sssd-05c2c3047912fca1c1a35ab1c8d3157b05383495.tar.gz sssd-05c2c3047912fca1c1a35ab1c8d3157b05383495.tar.xz sssd-05c2c3047912fca1c1a35ab1c8d3157b05383495.zip |
responders: do not leak selinux context on clients destruction
The SELinux context created in get_client_cred is not talloc bound and
we were leaking it if available with each client's destruction.
Resolves:
https://pagure.io/SSSD/sssd/issue/3360
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-rw-r--r-- | src/responder/common/responder_common.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 154d7dc77..67e1deefd 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -97,7 +97,7 @@ static errno_t get_client_cred(struct cli_ctx *cctx) SEC_CTX secctx; int ret; - cctx->creds = talloc(cctx, struct cli_creds); + cctx->creds = talloc_zero(cctx, struct cli_creds); if (!cctx->creds) return ENOMEM; #ifdef HAVE_UCRED @@ -464,6 +464,22 @@ static void client_fd_handler(struct tevent_context *ev, static errno_t setup_client_idle_timer(struct cli_ctx *cctx); +static int cli_ctx_destructor(struct cli_ctx *cctx) +{ + if (cctx->creds == NULL) { + return 0; + } + + if (cctx->creds->selinux_ctx == NULL) { + return 0; + } + + SELINUX_context_free(cctx->creds->selinux_ctx); + cctx->creds->selinux_ctx = NULL; + + return 0; +} + struct accept_fd_ctx { struct resp_ctx *rctx; bool is_private; @@ -520,6 +536,8 @@ static void accept_fd_handler(struct tevent_context *ev, return; } + talloc_set_destructor(cctx, cli_ctx_destructor); + len = sizeof(cctx->addr); cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len); if (cctx->cfd == -1) { |