From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [PATCH 1/1] gnu: mit-krb5: Fix CVE-2015-{8629, 8630, 8631}. Date: Thu, 4 Feb 2016 19:49:08 -0500 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56519) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aRUaM-0007XP-52 for guix-devel@gnu.org; Thu, 04 Feb 2016 19:49:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aRUaJ-0003En-KD for guix-devel@gnu.org; Thu, 04 Feb 2016 19:49:18 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:40908) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aRUaJ-0003Ea-G7 for guix-devel@gnu.org; Thu, 04 Feb 2016 19:49:15 -0500 Received: from jasmine.home (pool-173-49-104-211.phlapa.fios.verizon.net [173.49.104.211]) by mail.messagingengine.com (Postfix) with ESMTPA id 1657A680114 for ; Thu, 4 Feb 2016 19:49:13 -0500 (EST) In-Reply-To: In-Reply-To: References: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org * gnu/packages/patches/mit-krb5-CVE-2015-8629.patch, gnu/packages/patches/mit-krb5-CVE-2015-8630.patch, gnu/packages/patches/mit-krb5-CVE-2015-8631.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/mit-krb5.scm (mit-krb5)[native-inputs]: Apply patches. --- gnu-system.am | 3 + gnu/packages/mit-krb5.scm | 6 +- gnu/packages/patches/mit-krb5-CVE-2015-8629.patch | 29 ++ gnu/packages/patches/mit-krb5-CVE-2015-8630.patch | 59 +++ gnu/packages/patches/mit-krb5-CVE-2015-8631.patch | 550 ++++++++++++++++++++++ 5 files changed, 646 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch diff --git a/gnu-system.am b/gnu-system.am index 04bd519..e6ff131 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -626,6 +626,9 @@ dist_patch_DATA = \ gnu/packages/patches/mit-krb5-CVE-2015-2697.patch \ gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch \ gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch \ + gnu/packages/patches/mit-krb5-CVE-2015-8629.patch \ + gnu/packages/patches/mit-krb5-CVE-2015-8630.patch \ + gnu/packages/patches/mit-krb5-CVE-2015-8631.patch \ gnu/packages/patches/mpc123-initialize-ao.patch \ gnu/packages/patches/mplayer2-theora-fix.patch \ gnu/packages/patches/module-init-tools-moduledir.patch \ diff --git a/gnu/packages/mit-krb5.scm b/gnu/packages/mit-krb5.scm index 16bef8d..7591334 100644 --- a/gnu/packages/mit-krb5.scm +++ b/gnu/packages/mit-krb5.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2012, 2013 Andreas Enge ;;; Copyright © 2015 Mark H Weaver +;;; Copyright © 2016 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -54,7 +55,10 @@ "CVE-2015-2696" "CVE-2015-2697" "CVE-2015-2698-pt1" - "CVE-2015-2698-pt2")))) + "CVE-2015-2698-pt2" + "CVE-2015-8629" + "CVE-2015-8630" + "CVE-2015-8631")))) (arguments `(#:modules ((ice-9 ftw) (ice-9 match) diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch new file mode 100644 index 0000000..6d1c3e7 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch @@ -0,0 +1,29 @@ +Fix CVE-2015-8629 (xdr_nullstring() doesn't check for terminating null +character). + +From upstream git repository, commit +df17a1224a3406f57477bcd372c61e04c0e5a5bb. + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 2bef858..ba67084 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp) + return FALSE; + } + } +- return (xdr_opaque(xdrs, *objp, size)); ++ if (!xdr_opaque(xdrs, *objp, size)) ++ return FALSE; ++ /* Check that the unmarshalled bytes are a C string. */ ++ if ((*objp)[size - 1] != '\0') ++ return FALSE; ++ if (memchr(*objp, '\0', size - 1) != NULL) ++ return FALSE; ++ return TRUE; + + case XDR_ENCODE: + if (size != 0) +-- +2.6.3 + diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch new file mode 100644 index 0000000..431eb27 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch @@ -0,0 +1,59 @@ +Fix CVE-2015-8630 (krb5 doesn't check for null policy when KADM5_POLICY +is set in the mask). + +From upstream git repository, commit +b863de7fbf080b15e347a736fdda0a82d42f4f6b. + +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 5b95fa3..1d4365c 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle, + /* + * Argument sanity checking, and opening up the DB + */ ++ if (entry == NULL) ++ return EINVAL; + if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) || + (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) || + (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || +@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle, + return KADM5_BAD_MASK; + if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0) + return KADM5_BAD_MASK; ++ if((mask & KADM5_POLICY) && entry->policy == NULL) ++ return KADM5_BAD_MASK; + if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) + return KADM5_BAD_MASK; + if((mask & ~ALL_PRINC_MASK)) + return KADM5_BAD_MASK; +- if (entry == NULL) +- return EINVAL; + + /* + * Check to see if the principal exists +@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle, + + krb5_clear_error_message(handle->context); + ++ if(entry == NULL) ++ return EINVAL; + if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) || + (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) || + (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || +@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle, + return KADM5_BAD_MASK; + if((mask & ~ALL_PRINC_MASK)) + return KADM5_BAD_MASK; ++ if((mask & KADM5_POLICY) && entry->policy == NULL) ++ return KADM5_BAD_MASK; + if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) + return KADM5_BAD_MASK; +- if(entry == (kadm5_principal_ent_t) NULL) +- return EINVAL; + if (mask & KADM5_TL_DATA) { + tl_data_orig = entry->tl_data; + while (tl_data_orig) { +-- +2.6.3 + diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch new file mode 100644 index 0000000..ec036d7 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch @@ -0,0 +1,550 @@ +Fix CVE-2016-8631 (Memory leak caused by supplying a null principal name +in request). + +From upstream git repository, commit +83ed75feba32e46f736fcce0d96a0445f29b96c2. + +diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c +index 1879dc6..6ac797e 100644 +--- a/src/kadmin/server/server_stubs.c ++++ b/src/kadmin/server/server_stubs.c +@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; +@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); +- gss_release_buffer(&minor_stat, &client_name); +- gss_release_buffer(&minor_stat, &service_name); + + exit_func: ++ gss_release_buffer(&minor_stat, &client_name); ++ gss_release_buffer(&minor_stat, &service_name); + free_server_handle(handle); + return &ret; + } +@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; +@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); +- gss_release_buffer(&minor_stat, &client_name); +- gss_release_buffer(&minor_stat, &service_name); + + exit_func: ++ gss_release_buffer(&minor_stat, &client_name); ++ gss_release_buffer(&minor_stat, &service_name); + free_server_handle(handle); + return &ret; + } +@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) + + } + free(prime_arg); +- gss_release_buffer(&minor_stat, &client_name); +- gss_release_buffer(&minor_stat, &service_name); + + exit_func: ++ gss_release_buffer(&minor_stat, &client_name); ++ gss_release_buffer(&minor_stat, &service_name); + free_server_handle(handle); + return &ret; + } +@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; +@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -570,10 +572,9 @@ generic_ret * + rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; +- char *prime_arg1, +- *prime_arg2; +- gss_buffer_desc client_name, +- service_name; ++ char *prime_arg1 = NULL, *prime_arg2 = NULL; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; +@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + + } ++exit_func: + free(prime_arg1); + free(prime_arg2); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) + { + static gprinc_ret ret; + char *prime_arg, *funcname; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) + { + static gprincs_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) + } + + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) + } + + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) + } + + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) + } + + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) + } + + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) + krb5_keyblock *k; + int nkeys; + char *prime_arg, *funcname; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) + krb5_keyblock *k; + int nkeys; + char *prime_arg, *funcname; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) + static gpol_ret ret; + kadm5_ret_t ret2; + char *prime_arg, *funcname; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_principal_ent_rec caller_ent; + kadm5_server_handle_t handle; +@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) + log_unauth(funcname, prime_arg, + &client_name, &service_name, rqstp); + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + +@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) + { + static gpols_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1541,7 +1542,8 @@ exit_func: + getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) + { + static getprivs_ret ret; +- gss_buffer_desc client_name, service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg, *funcname; +- gss_buffer_desc client_name, service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + +@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) + { + static gstrings_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1754,8 +1757,8 @@ exit_func: + generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) + { + static generic_ret ret; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + kadm5_server_handle_t handle; + OM_uint32 minor_stat; + const char *errmsg = NULL; +@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) + rqstp->rq_cred.oa_flavor); + if (errmsg != NULL) + krb5_free_error_message(NULL, errmsg); +- gss_release_buffer(&minor_stat, &client_name); +- gss_release_buffer(&minor_stat, &service_name); + + exit_func: ++ gss_release_buffer(&minor_stat, &client_name); ++ gss_release_buffer(&minor_stat, &service_name); + return(&ret); + } + +-- +2.6.3 + -- 2.6.3