diff options
author | Andrew Bartlett <abartlet@samba.org> | 2014-04-01 17:01:26 +1300 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2014-04-02 00:31:48 +0200 |
commit | 8f3a516acb8c95cd6d88bf80abd495ac0cafaae3 (patch) | |
tree | b96b79f76c068706b409ab31c4eb421753ae6df6 /source3/pam_smbpass | |
parent | bc5bd4010e8fedf19047ed6f7a793cd373f9f14f (diff) | |
download | samba-8f3a516acb8c95cd6d88bf80abd495ac0cafaae3.tar.gz samba-8f3a516acb8c95cd6d88bf80abd495ac0cafaae3.tar.xz samba-8f3a516acb8c95cd6d88bf80abd495ac0cafaae3.zip |
pam_smbpass: Wrap calls in talloc_stackframe() to avoid warnings about leaking memory
Any code in source3 is permitted to use talloc_tos() at any point, so we must protect all the library interfaces
against memory leaks this way.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/pam_smbpass')
-rw-r--r-- | source3/pam_smbpass/pam_smb_acct.c | 9 | ||||
-rw-r--r-- | source3/pam_smbpass/pam_smb_auth.c | 7 | ||||
-rw-r--r-- | source3/pam_smbpass/pam_smb_passwd.c | 16 |
3 files changed, 31 insertions, 1 deletions
diff --git a/source3/pam_smbpass/pam_smb_acct.c b/source3/pam_smbpass/pam_smb_acct.c index 60acd3c1ca5..bd4615f646e 100644 --- a/source3/pam_smbpass/pam_smb_acct.c +++ b/source3/pam_smbpass/pam_smb_acct.c @@ -55,6 +55,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, const char *name; struct samu *sampass = NULL; void (*oldsig_handler)(int); + TALLOC_CTX *frame = talloc_stackframe(); /* Samba initialization. */ load_case_tables_library(); @@ -68,6 +69,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, if (on( SMB_DEBUG, ctrl )) { _log_err(pamh, LOG_DEBUG, "acct: could not identify user" ); } + TALLOC_FREE(frame); return retval; } if (on( SMB_DEBUG, ctrl )) { @@ -76,6 +78,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, if (geteuid() != 0) { _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); + TALLOC_FREE(frame); return PAM_AUTHINFO_UNAVAIL; } @@ -85,6 +88,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, if (!initialize_password_db(True, NULL)) { _log_err(pamh, LOG_ALERT, "Cannot access samba password database" ); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_AUTHINFO_UNAVAIL; } @@ -93,18 +97,21 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, if (!(sampass = samu_new( NULL ))) { CatchSignal(SIGPIPE, oldsig_handler); /* malloc fail. */ + TALLOC_FREE(frame); return nt_status_to_pam(NT_STATUS_NO_MEMORY); } if (!pdb_getsampwnam(sampass, name )) { _log_err(pamh, LOG_DEBUG, "acct: could not identify user"); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_USER_UNKNOWN; } /* check for lookup failure */ if (!strlen(pdb_get_username(sampass)) ) { CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_USER_UNKNOWN; } @@ -118,12 +125,14 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, "please see your system administrator." ); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_ACCT_EXPIRED; } /* TODO: support for expired passwords. */ CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_SUCCESS; } diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 4270bcce587..ac5ef3f21c5 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -50,6 +50,7 @@ do { \ pam_set_data( pamh, "smb_setcred_return" \ , (void *) ret_data, NULL ); \ } \ + TALLOC_FREE(frame); \ return retval; \ } while (0) @@ -75,6 +76,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, const char *name; void (*oldsig_handler)(int) = NULL; bool found; + TALLOC_CTX *frame = talloc_stackframe(); /* Points to memory managed by the PAM library. Do not free. */ char *p = NULL; @@ -195,6 +197,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, char *msg_str = NULL; const char *pass = NULL; int retval; + TALLOC_CTX *frame = talloc_stackframe(); /* Get the authtok; if we don't have one, silently fail. */ retval = _pam_get_item( pamh, PAM_AUTHTOK, &pass ); @@ -202,8 +205,10 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, if (retval != PAM_SUCCESS) { _log_err(pamh, LOG_ALERT , "pam_get_item returned error to pam_sm_authenticate" ); + TALLOC_FREE(frame); return PAM_AUTHTOK_RECOVER_ERR; } else if (pass == NULL) { + TALLOC_FREE(frame); return PAM_AUTHTOK_RECOVER_ERR; } @@ -220,6 +225,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, SAFE_FREE(err_str); SAFE_FREE(msg_str); + TALLOC_FREE(frame); return PAM_IGNORE; } else { /* mimick 'update encrypted' as long as the 'no pw req' flag is not set */ @@ -237,6 +243,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, SAFE_FREE(err_str); SAFE_FREE(msg_str); pass = NULL; + TALLOC_FREE(frame); return PAM_IGNORE; } diff --git a/source3/pam_smbpass/pam_smb_passwd.c b/source3/pam_smbpass/pam_smb_passwd.c index ce0b1187d80..dedfda03ffb 100644 --- a/source3/pam_smbpass/pam_smb_passwd.c +++ b/source3/pam_smbpass/pam_smb_passwd.c @@ -103,6 +103,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, const char *user; char *pass_old; char *pass_new; + TALLOC_CTX *frame = talloc_stackframe(); /* Samba initialization. */ load_case_tables_library(); @@ -119,6 +120,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (on( SMB_DEBUG, ctrl )) { _log_err(pamh, LOG_DEBUG, "password: could not identify user"); } + TALLOC_FREE(frame); return retval; } if (on( SMB_DEBUG, ctrl )) { @@ -127,6 +129,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (geteuid() != 0) { _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); + TALLOC_FREE(frame); return PAM_AUTHINFO_UNAVAIL; } @@ -137,19 +140,22 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (!initialize_password_db(False, NULL)) { _log_err(pamh, LOG_ALERT, "Cannot access samba password database" ); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_AUTHINFO_UNAVAIL; } /* obtain user record */ if ( !(sampass = samu_new( NULL )) ) { CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return nt_status_to_pam(NT_STATUS_NO_MEMORY); } if (!pdb_getsampwnam(sampass,user)) { _log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", user); CatchSignal(SIGPIPE, oldsig_handler); - return PAM_USER_UNKNOWN; + TALLOC_FREE(frame); + return PAM_USER_UNKNOWN; } if (on( SMB_DEBUG, ctrl )) { _log_err(pamh, LOG_DEBUG, "Located account for %s", user); @@ -167,6 +173,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, TALLOC_FREE(sampass); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_SUCCESS; } @@ -179,6 +186,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, _log_err(pamh, LOG_CRIT, "password: out of memory"); TALLOC_FREE(sampass); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_BUF_ERR; } @@ -192,6 +200,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, "password - (old) token not obtained"); TALLOC_FREE(sampass); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return retval; } @@ -207,6 +216,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, pass_old = NULL; TALLOC_FREE(sampass); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return retval; } else if (flags & PAM_UPDATE_AUTHTOK) { @@ -237,6 +247,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, _log_err(pamh, LOG_NOTICE, "password: user not authenticated"); TALLOC_FREE(sampass); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return retval; } @@ -265,6 +276,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, pass_old = NULL; /* tidy up */ TALLOC_FREE(sampass); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return retval; } @@ -285,6 +297,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, pass_new = pass_old = NULL; /* tidy up */ TALLOC_FREE(sampass); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return retval; } @@ -334,6 +347,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, TALLOC_FREE(sampass); CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return retval; } |