From a6e5d53a358f3871d8ae646b252250d215d09883 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 16 Jun 2021 15:28:28 +0200
Subject: [PATCH] kcm: terminate client on bad message
The debug message clearly says that the original intention was to
abort the client, not send an error message.
We may end up in a state where we get into an infinit loop, fo example
when the client send an message that indicates 0 lenght, but there is
actually more data written. In this case, we never read the rest of the
message but the file descriptor is still readable so the fd handler gets
fired again and again.
More information can be seen in relevant FreeIPA ticket:
https://pagure.io/freeipa/issue/8877
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/responder/kcm/kcmsrv_cmd.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
index 49518920b..9b27bbdcc 100644
--- a/src/responder/kcm/kcmsrv_cmd.c
+++ b/src/responder/kcm/kcmsrv_cmd.c
@@ -548,7 +548,8 @@ static void kcm_recv(struct cli_ctx *cctx)
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to parse data (%d, %s), aborting client\n",
ret, sss_strerror(ret));
- goto fail;
+ talloc_free(cctx);
+ return;
}
/* do not read anymore, client is done sending */
@@ -559,15 +560,13 @@ static void kcm_recv(struct cli_ctx *cctx)
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to dispatch KCM operation [%d]: %s\n",
ret, sss_strerror(ret));
- goto fail;
+ /* Fail with reply */
+ kcm_reply_error(cctx, ret, &req->repbuf);
+ return;
}
/* Dispatched request resumes in kcm_cmd_request_done */
return;
-
-fail:
- /* Fail with reply */
- kcm_reply_error(cctx, ret, &req->repbuf);
}
static int kcm_send_data(struct cli_ctx *cctx)
--
2.26.3