1 files changed, 45 insertions, 21 deletions

diff --git a/lib/krb5.c b/lib/krb5.c
index 36afc3c..2530395 100644
--- a/lib/krb5.c
+++ b/lib/krb5.c
@@ -1,6 +1,6 @@
 /* GSSAPI/krb5 support for FTP - loosely based on old krb4.c
  *
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999, 2010 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * Copyright (c) 2004 - 2009 Daniel Stenberg
  * All rights reserved.
@@ -76,9 +76,18 @@
 #define REMOTE_ADDR conn->ip_addr->ai_addr
 
 static int
+krb5_init(void *app_data)
+{
+  gss_ctx_id_t *context = app_data;
+  /* Make sure our context is initialized for krb5_end. */
+  *context = GSS_C_NO_CONTEXT;
+  return 0;
+}
+
+static int
 krb5_check_prot(void *app_data, int level)
 {
-  app_data = NULL; /* prevent compiler warning */
+  (void)app_data; /* unused */
   if(level == prot_confidential)
     return -1;
   return 0;
@@ -161,15 +170,15 @@ krb5_encode(void *app_data, const void *from, int length, int level, void **to,
 static int
 krb5_auth(void *app_data, struct connectdata *conn)
 {
-  int ret;
+  int ret = AUTH_OK;
   char *p;
-  const char *host = conn->dns_entry->addr->ai_canonname;
+  const char *host = conn->host.name;
   ssize_t nread;
   curl_socklen_t l = sizeof(conn->local_addr);
   struct SessionHandle *data = conn->data;
   CURLcode result;
   const char *service = "ftp", *srv_host = "host";
-  gss_buffer_desc gssbuf, _gssresp, *gssresp;
+  gss_buffer_desc input_buffer, output_buffer, _gssresp, *gssresp;
   OM_uint32 maj, min;
   gss_name_t gssname;
   gss_ctx_id_t *context = app_data;
@@ -205,28 +214,31 @@ krb5_auth(void *app_data, struct connectdata *conn)
         return -1;
     }
 
-    gssbuf.value = data->state.buffer;
-    gssbuf.length = snprintf(gssbuf.value, BUFSIZE, "%s@%s", service, host);
-    maj = gss_import_name(&min, &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &gssname);
+    input_buffer.value = data->state.buffer;
+    input_buffer.length = snprintf(input_buffer.value, BUFSIZE, "%s@%s",
+                                   service, host);
+    maj = gss_import_name(&min, &input_buffer, GSS_C_NT_HOSTBASED_SERVICE,
+                          &gssname);
     if(maj != GSS_S_COMPLETE) {
       gss_release_name(&min, &gssname);
       if(service == srv_host) {
-        Curl_failf(data, "Error importing service name %s", gssbuf.value);
+        Curl_failf(data, "Error importing service name %s", input_buffer.value);
         return AUTH_ERROR;
       }
       service = srv_host;
       continue;
     }
-    {
-      gss_OID t;
-      gss_display_name(&min, gssname, &gssbuf, &t);
-      Curl_infof(data, "Trying against %s\n", gssbuf.value);
-      gss_release_buffer(&min, &gssbuf);
-    }
+    /* We pass NULL as |output_name_type| to avoid a leak. */
+    gss_display_name(&min, gssname, &output_buffer, NULL);
+    Curl_infof(data, "Trying against %s\n", output_buffer.value);
     gssresp = GSS_C_NO_BUFFER;
     *context = GSS_C_NO_CONTEXT;
 
     do {
+      /* Release the buffer at each iteration to avoid leaking: the first time
+         we are releasing the memory from gss_display_name. The last item is
+         taken care by a final gss_release_buffer. */
+      gss_release_buffer(&min, &output_buffer);
       ret = AUTH_OK;
       maj = gss_init_sec_context(&min,
                                  GSS_C_NO_CREDENTIAL,
@@ -238,7 +250,7 @@ krb5_auth(void *app_data, struct connectdata *conn)
                                  &chan,
                                  gssresp,
                                  NULL,
-                                 &gssbuf,
+                                 &output_buffer,
                                  NULL,
                                  NULL);
 
@@ -253,9 +265,9 @@ krb5_auth(void *app_data, struct connectdata *conn)
         break;
       }
 
-      if(gssbuf.length != 0) {
-        if(Curl_base64_encode(data, (char *)gssbuf.value, gssbuf.length, &p)
-           < 1) {
+      if(output_buffer.length != 0) {
+        if(Curl_base64_encode(data, (char *)output_buffer.value,
+                              output_buffer.length, &p) < 1) {
           Curl_infof(data, "Out of memory base64-encoding");
           ret = AUTH_CONTINUE;
           break;
@@ -298,6 +310,7 @@ krb5_auth(void *app_data, struct connectdata *conn)
     } while(maj == GSS_S_CONTINUE_NEEDED);
 
     gss_release_name(&min, &gssname);
+    gss_release_buffer(&min, &output_buffer);
 
     if(gssresp)
       free(_gssresp.value);
@@ -307,14 +320,25 @@ krb5_auth(void *app_data, struct connectdata *conn)
 
     service = srv_host;
   }
+  return ret;
+}
+
+static void krb5_end(void *app_data)
+{
+    OM_uint32 maj, min;
+    gss_ctx_id_t *context = app_data;
+    if (*context != GSS_C_NO_CONTEXT) {
+      maj = gss_delete_sec_context(&min, context, GSS_C_NO_BUFFER);
+      DEBUGASSERT(maj == GSS_S_COMPLETE);
+    }
 }
 
 struct Curl_sec_client_mech Curl_krb5_client_mech = {
     "GSSAPI",
     sizeof(gss_ctx_id_t),
-    NULL, /* init */
+    krb5_init,
     krb5_auth,
-    NULL, /* end */
+    krb5_end,
     krb5_check_prot,
     krb5_overhead,
     krb5_encode,