From 278b347c6f84140b4fc58d7c11749bbf6c44a50c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 6 Mar 2014 10:26:29 +0200 Subject: [PATCH] ipa-kdb: do not fetch client principal if it is the same as existing entry When client principal is the same as supplied client entry, don't fetch it again. Note that when client principal is not NULL, client entry might be NULL for cross-realm case, so we need to make sure to not dereference NULL pointer here. Also fix reverted condition for case when we didn't find the client principal in the database, preventing a memory leak. https://fedorahosted.org/freeipa/ticket/4223 Reviewed-By: Sumit Bose --- daemons/ipa-kdb/ipa_kdb_mspac.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 68f27f0e2d9028cdaece80c4bd3440d0438d20db..8481278760aba2d5dec5c337813f394633d67e46 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2002,6 +2002,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, bool with_pad; int result; krb5_db_entry *client_entry = NULL; + krb5_boolean is_equal; is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); @@ -2012,12 +2013,18 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, if (client_princ != NULL) { ks_client_princ = client_princ; if (!is_as_req) { - kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); - /* If we didn't find client_princ in our database, it might be: - * - a principal from another realm, handle it down in ipadb_get/verify_pac() - */ - if (!kerr) { - client_entry = NULL; + is_equal = false; + if ((client != NULL) && (client->princ != NULL)) { + is_equal = krb5_principal_compare(context, client_princ, client->princ); + } + if (!is_equal) { + kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); + /* If we didn't find client_princ in our database, it might be: + * - a principal from another realm, handle it down in ipadb_get/verify_pac() + */ + if (kerr != 0) { + client_entry = NULL; + } } } } else { -- 1.8.5.3