Hi,
the attached patches provide additional fixes for
<https://fedorahosted.org/freeipa/ticket/4651>.
I'm not 100% sure if the fixes for ipa-sam and ipa-kdb are correct,
please check them carefully.
Honza
--
Jan Cholasta
>From a195644143042a0161de81472646f41f503ffe48 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 10 Nov 2014 17:20:18 +0000
Subject: [PATCH 1/7] Remove redefinition of LOG from ipa-otp-lasttoken
https://fedorahosted.org/freeipa/ticket/4651
---
daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
index d20fca1..15b404d 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
@@ -47,9 +47,6 @@
#include "util.h"
#define PLUGIN_NAME "ipa-otp-lasttoken"
-#define LOG(sev, ...) \
- slapi_log_error(SLAPI_LOG_ ## sev, PLUGIN_NAME, \
- "%s: %s\n", __func__, __VA_ARGS__), -1
static void *plugin_id;
static const Slapi_PluginDesc preop_desc = {
--
2.1.0
>From b5800224806278ed0d1a165acbe7a12fdd74fbf6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 10 Nov 2014 17:33:23 +0000
Subject: [PATCH 2/7] Unload P11_Helper object's library when it is finalized
in ipap11helper
https://fedorahosted.org/freeipa/ticket/4651
---
ipapython/ipap11helper/library.c | 5 +++++
ipapython/ipap11helper/p11helper.c | 9 +++++++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/ipapython/ipap11helper/library.c b/ipapython/ipap11helper/library.c
index 51e24eb..619604d 100644
--- a/ipapython/ipap11helper/library.c
+++ b/ipapython/ipap11helper/library.c
@@ -70,6 +70,11 @@ CK_C_GetFunctionList loadLibrary(char* module, void** moduleHandle)
// Retrieve the entry point for C_GetFunctionList
pGetFunctionList = (CK_C_GetFunctionList) dlsym(pDynLib, "C_GetFunctionList");
+ if (pGetFunctionList == NULL)
+ {
+ dlclose(pDynLib);
+ return NULL;
+ }
// Store the handle so we can dlclose it later
*moduleHandle = pDynLib;
diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c
index 038c26c..558185e 100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -66,6 +66,7 @@ PyObject_HEAD
CK_SLOT_ID slot;
CK_FUNCTION_LIST_PTR p11;
CK_SESSION_HANDLE session;
+void *module_handle;
} P11_Helper;
typedef enum {
@@ -478,6 +479,7 @@ P11_Helper_new(PyTypeObject *type, PyObject *args, PyObject *kwds) {
self->slot = 0;
self->session = 0;
self->p11 = NULL;
+ self->module_handle = NULL;
}
return (PyObject *) self;
@@ -496,12 +498,12 @@ static int P11_Helper_init(P11_Helper *self, PyObject *args, PyObject *kwds) {
CK_C_GetFunctionList pGetFunctionList = loadLibrary(library_path,
&module_handle);
if (!pGetFunctionList) {
- if (module_handle != NULL)
- unloadLibrary(module_handle);
PyErr_SetString(ipap11helperError, "Could not load the library.");
return -1;
}
+ self->module_handle = module_handle;
+
/*
* Load the function list
*/
@@ -567,9 +569,12 @@ P11_Helper_finalize(P11_Helper* self) {
*/
self->p11->C_Finalize(NULL);
+ unloadLibrary(self->module_handle);
+
self->p11 = NULL;
self->session = 0;
self->slot = 0;
+ self->module_handle = NULL;
return Py_None;
}
--
2.1.0
>From 26d61f0284dba1ac98ae02260536772465da8819 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 10 Nov 2014 17:40:35 +0000
Subject: [PATCH 3/7] Fix Kerberos error handling in ipa-sam
https://fedorahosted.org/freeipa/ticket/4651
---
daemons/ipa-sam/ipa_sam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 3b69f9e..e711299 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -4233,7 +4233,7 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
krb5_free_principal(data.context, in_creds.server);
krb5_free_principal(data.context, in_creds.client);
- if (rc) {
+ if (rc != 0 && rc != KRB5KRB_AP_ERR_TKT_NYV && rc != KRB5KRB_AP_ERR_TKT_EXPIRED) {
rc = bind_callback_obtain_creds(&data);
if (rc) {
bind_callback_cleanup(&data, rc);
--
2.1.0
>From 6dddda386daa320c0db9c47709330d793881bda3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 10 Nov 2014 18:10:27 +0000
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4651
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
ipactx->kdc_hostname, strlen(ipactx->kdc_hostname),
NULL, NULL, &result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+ if (kerr != 0 && kerr != ENOENT) {
+ goto done;
+ }
}
}
--
2.1.0
>From 63846b20707b194d0be635fa086fbbe463561d02 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 10 Nov 2014 18:10:59 +0000
Subject: [PATCH 5/7] Fix unchecked return values in ipa-winsync
https://fedorahosted.org/freeipa/ticket/4651
---
.../ipa-winsync/ipa-winsync-config.c | 40 +++++++++++-----------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
index 65ceaea..8b62aed 100644
--- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
+++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
@@ -905,9 +905,9 @@ ipa_winsync_config_refresh_domain(
if (!iwdc->realm_name) {
/* error - could not find the IPA config entry with the realm name */
- LOG_FATAL("Error: could not find the entry containing the realm name for "
- "ds subtree [%s] filter [%s] attr [%s]\n",
- slapi_sdn_get_dn(ds_subtree), realm_filter, realm_attr);
+ LOG_FATAL("Error: could not find the entry containing the realm name "
+ "[%d] ds subtree [%s] filter [%s] attr [%s]\n",
+ ret, slapi_sdn_get_dn(ds_subtree), realm_filter, realm_attr);
goto out;
}
@@ -918,9 +918,9 @@ ipa_winsync_config_refresh_domain(
&new_user_objclasses, NULL);
if (!new_user_objclasses) {
/* error - could not find the entry containing list of objectclasses */
- LOG_FATAL("Error: could not find the entry containing the new user objectclass list for "
- "ds subtree [%s] filter [%s] attr [%s]\n",
- slapi_sdn_get_dn(ds_subtree), new_entry_filter, new_user_oc_attr);
+ LOG_FATAL("Error: could not find the entry containing the new user objectclass list "
+ "[%d] ds subtree [%s] filter [%s] attr [%s]\n",
+ ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter, new_user_oc_attr);
goto out;
}
@@ -933,9 +933,9 @@ ipa_winsync_config_refresh_domain(
NULL, &iwdc->homedir_prefix);
if (!iwdc->homedir_prefix) {
/* error - could not find the home dir prefix */
- LOG_FATAL("Error: could not find the entry containing the home directory prefix for "
- "ds subtree [%s] filter [%s] attr [%s]\n",
- slapi_sdn_get_dn(ds_subtree), new_entry_filter, homedir_prefix_attr);
+ LOG_FATAL("Error: could not find the entry containing the home directory prefix "
+ "[%d] ds subtree [%s] filter [%s] attr [%s]\n",
+ ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter, homedir_prefix_attr);
goto out;
}
@@ -950,8 +950,8 @@ ipa_winsync_config_refresh_domain(
NULL, &iwdc->login_shell);
if (!iwdc->login_shell) {
LOG("Warning: could not find the entry containing the login shell "
- "attribute for ds subtree [%s] filter [%s] attr [%s]\n",
- slapi_sdn_get_dn(ds_subtree), new_entry_filter,
+ "attribute [%d] ds subtree [%s] filter [%s] attr [%s]\n",
+ ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter,
login_shell_attr);
}
}
@@ -969,9 +969,9 @@ ipa_winsync_config_refresh_domain(
NULL, &default_group_name);
if (!default_group_name) {
/* error - could not find the default group name */
- LOG_FATAL("Error: could not find the entry containing the default group name for "
- "ds subtree [%s] filter [%s] attr [%s]\n",
- slapi_sdn_get_dn(ds_subtree), new_entry_filter, default_group_attr);
+ LOG_FATAL("Error: could not find the entry containing the default group name "
+ "[%d] ds subtree [%s] filter [%s] attr [%s]\n",
+ ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter, default_group_attr);
goto out;
}
@@ -1014,9 +1014,9 @@ ipa_winsync_config_refresh_domain(
NULL, &inactivated_group_dn);
if (!inactivated_group_dn) {
/* error - could not find the inactivated group dn */
- LOG("Could not find the DN of the inactivated users group ds "
- "subtree [%s] filter [%s]. Ignoring\n",
- slapi_sdn_get_dn(ds_subtree), inactivated_filter);
+ LOG("Could not find the DN of the inactivated users group "
+ "[%d] ds subtree [%s] filter [%s]. Ignoring\n",
+ ret, slapi_sdn_get_dn(ds_subtree), inactivated_filter);
goto out;
}
}
@@ -1026,9 +1026,9 @@ ipa_winsync_config_refresh_domain(
NULL, &activated_group_dn);
if (!activated_group_dn) {
/* error - could not find the activated group dn */
- LOG("Could not find the DN of the activated users group ds "
- "subtree [%s] filter [%s]. Ignoring\n",
- slapi_sdn_get_dn(ds_subtree), activated_filter);
+ LOG("Could not find the DN of the activated users group "
+ "[%d] ds subtree [%s] filter [%s]. Ignoring\n",
+ ret, slapi_sdn_get_dn(ds_subtree), activated_filter);
goto out;
}
}
--
2.1.0
>From 5cfc5d50ef7d2e42f10488ddf0d11fa405a8cb84 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 10 Nov 2014 18:12:02 +0000
Subject: [PATCH 6/7] Fix unchecked return value in ipa-join
https://fedorahosted.org/freeipa/ticket/4651
---
ipa-client/ipa-join.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index 46f6457..ac8251f 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -208,8 +208,11 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
struct berval bindpw_bv;
if (debug) {
- ldapdebug=2;
+ ldapdebug = 2;
ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
+ if (ret != LDAP_OPT_SUCCESS) {
+ goto fail;
+ }
}
if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) != LDAP_OPT_SUCCESS)
--
2.1.0
>From 4e4600da5cd9c42b76a56cdbdb4c1314ee7b0a2a Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 10 Nov 2014 18:12:52 +0000
Subject: [PATCH 7/7] Fix unchecked return value in krb5 common utils
https://fedorahosted.org/freeipa/ticket/4651
---
util/ipa_krb5.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index 6334ed3..feb23ea 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -730,6 +730,10 @@ struct berval *create_key_control(struct keys_container *keys,
if (ksdata[i].salttype == NO_SALT) {
ret = ber_printf(be, "}");
+ if (ret == -1) {
+ ber_free(be, 1);
+ return NULL;
+ }
continue;
}
--
2.1.0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
