LU-18623 gss: rework memory allocation for wrap

Make sure buffers used in gss code to carry out
encryption/decryption are correctly allocated.

Test-Parameters: trivial
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=el9.5 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=el9.2 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=el8.10 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=el8.8 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=ubuntu2204 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=ubuntu2404 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=aarch64 clientdistro=el9.3 serverarch=x86_64 serverdistro=el9.4
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Ia60a5171d34dad2866fd971a8e838b92486d44df
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/57701
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/ptlrpc/gss/gss_krb5_mech.c b/lustre/ptlrpc/gss/gss_krb5_mech.c
index 17aab2a..f7d5428 100644 (file)
--- a/lustre/ptlrpc/gss/gss_krb5_mech.c
+++ b/lustre/ptlrpc/gss/gss_krb5_mech.c
@@ -967,16 +967,16 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx,
                        int msg_buflen,
                        rawobj_t *token)
 {
-       struct krb5_ctx     *kctx = gctx->internal_ctx_id;
+       struct krb5_ctx *kctx = gctx->internal_ctx_id;
        struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
-       struct krb5_header  *khdr;
-       int                  blocksize;
-       rawobj_t             cksum = RAWOBJ_EMPTY;
-       rawobj_t             data_desc[3], cipher;
-       __u8                 conf[GSS_MAX_CIPHER_BLOCK];
-       __u8                 local_iv[16] = {0};
+       struct krb5_header *khdr;
+       int blocksize;
+       rawobj_t cksum = RAWOBJ_EMPTY;
+       rawobj_t data_desc[3], cipher;
+       __u8 local_iv[16] = {0};
+       __u8 *conf = NULL;
        u32 major;
-       int                  rc = 0;
+       int rc = 0;
 
        LASSERT(ke);
        LASSERT(ke->ke_conf_size <= GSS_MAX_CIPHER_BLOCK);
@@ -984,6 +984,10 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx,
                ke->ke_conf_size >=
                crypto_sync_skcipher_blocksize(kctx->kc_keye.kb_tfm));
 
+       OBD_ALLOC(conf, GSS_MAX_CIPHER_BLOCK);
+       if (!conf)
+               return GSS_S_FAILURE;
+
        /*
         * final token format:
         * ---------------------------------------------------
@@ -1008,7 +1012,7 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx,
 
        /* padding the message */
        if (gss_add_padding(msg, msg_buflen, blocksize))
-               return GSS_S_FAILURE;
+               GOTO(out_free_conf, major = GSS_S_FAILURE);
 
        /*
         * clear text layout for checksum:
@@ -1064,6 +1068,8 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx,
        major = GSS_S_COMPLETE;
 out_free_cksum:
        rawobj_free(&cksum);
+out_free_conf:
+       OBD_FREE(conf, GSS_MAX_CIPHER_BLOCK);
        return major;
 }