diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2014-03-06 10:26:29 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-03-06 12:28:25 +0100 |
| commit | 4048d412f2297df6bb483c86cdb61c21a0081f35 (patch) | |
| tree | 4110a4eda1d52005fef3d30d87879db711527afc /daemons | |
| parent | 68f4af3122bfd9f83f4f09a7b6254da1bf0e533a (diff) | |
| download | freeipa-4048d412f2297df6bb483c86cdb61c21a0081f35.tar.gz freeipa-4048d412f2297df6bb483c86cdb61c21a0081f35.tar.xz freeipa-4048d412f2297df6bb483c86cdb61c21a0081f35.zip | |
ipa-kdb: do not fetch client principal if it is the same as existing entry
When client principal is the same as supplied client entry, don't fetch it
again.
Note that when client principal is not NULL, client entry might be NULL for
cross-realm case, so we need to make sure to not dereference NULL pointer here.
Also fix reverted condition for case when we didn't find the client principal
in the database, preventing a memory leak.
https://fedorahosted.org/freeipa/ticket/4223
Reviewed-By: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 68f27f0e2..848127876 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2002,6 +2002,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, bool with_pad; int result; krb5_db_entry *client_entry = NULL; + krb5_boolean is_equal; is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); @@ -2012,12 +2013,18 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, if (client_princ != NULL) { ks_client_princ = client_princ; if (!is_as_req) { - kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); - /* If we didn't find client_princ in our database, it might be: - * - a principal from another realm, handle it down in ipadb_get/verify_pac() - */ - if (!kerr) { - client_entry = NULL; + is_equal = false; + if ((client != NULL) && (client->princ != NULL)) { + is_equal = krb5_principal_compare(context, client_princ, client->princ); + } + if (!is_equal) { + kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); + /* If we didn't find client_princ in our database, it might be: + * - a principal from another realm, handle it down in ipadb_get/verify_pac() + */ + if (kerr != 0) { + client_entry = NULL; + } } } } else { |