[SSSD] [sssd PR#224][opened] responders: do not leak selinux context on clients destruction

Mon, 03 Apr 2017 03:58:18 -0700 

   URL: https://github.com/SSSD/sssd/pull/224
Author: pbrezina
 Title: #224: responders: do not leak selinux context on clients destruction
Action: opened

PR body:
"""
The SELinux context created in get_client_cred is not talloc bound and
we were leaking it if available with each client's destruction.

Resolves:
https://pagure.io/SSSD/sssd/issue/3360
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/224/head:pr224
git checkout pr224

From e88cb9da465dacebf5f73d963cd69fd6a428777c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 3 Apr 2017 12:56:01 +0200
Subject: [PATCH] responders: do not leak selinux context on clients
 destruction

The SELinux context created in get_client_cred is not talloc bound and
we were leaking it if available with each client's destruction.

Resolves:
https://pagure.io/SSSD/sssd/issue/3360
---
 src/responder/common/responder_common.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 154d7dc..67e1dee 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -97,7 +97,7 @@ static errno_t get_client_cred(struct cli_ctx *cctx)
     SEC_CTX secctx;
     int ret;
 
-    cctx->creds = talloc(cctx, struct cli_creds);
+    cctx->creds = talloc_zero(cctx, struct cli_creds);
     if (!cctx->creds) return ENOMEM;
 
 #ifdef HAVE_UCRED
@@ -464,6 +464,22 @@ static void client_fd_handler(struct tevent_context *ev,
 
 static errno_t setup_client_idle_timer(struct cli_ctx *cctx);
 
+static int cli_ctx_destructor(struct cli_ctx *cctx)
+{
+    if (cctx->creds == NULL) {
+        return 0;
+    }
+
+    if (cctx->creds->selinux_ctx == NULL) {
+        return 0;
+    }
+
+    SELINUX_context_free(cctx->creds->selinux_ctx);
+    cctx->creds->selinux_ctx = NULL;
+
+    return 0;
+}
+
 struct accept_fd_ctx {
     struct resp_ctx *rctx;
     bool is_private;
@@ -520,6 +536,8 @@ static void accept_fd_handler(struct tevent_context *ev,
         return;
     }
 
+    talloc_set_destructor(cctx, cli_ctx_destructor);
+
     len = sizeof(cctx->addr);
     cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len);
     if (cctx->cfd == -1) {

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to