From e1585c3a0cd899f746bde2092aef4ff348d0bb60 Mon Sep 17 00:00:00 2001
From: Sebastien Buisson <sbuisson@ddn.com>
Date: Thu, 9 Jan 2025 18:38:44 +0100
Subject: [PATCH] LU-18623 gss: rework memory allocation for wrap

Make sure buffers used in gss code to carry out
encryption/decryption are correctly allocated.

Test-Parameters: trivial
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=el9.5 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=el9.2 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=el8.10 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=el8.8 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=ubuntu2204 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=x86_64 clientdistro=ubuntu2404 serverarch=x86_64 serverdistro=el9.4
Test-Parameters: kerberos=true testlist=sanity-krb5 clientarch=aarch64 clientdistro=el9.3 serverarch=x86_64 serverdistro=el9.4
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Ia60a5171d34dad2866fd971a8e838b92486d44df
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/57701
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
---
 lustre/ptlrpc/gss/gss_krb5_mech.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/lustre/ptlrpc/gss/gss_krb5_mech.c b/lustre/ptlrpc/gss/gss_krb5_mech.c
index 17aab2a..f7d5428e 100644
--- a/lustre/ptlrpc/gss/gss_krb5_mech.c
+++ b/lustre/ptlrpc/gss/gss_krb5_mech.c
@@ -967,16 +967,16 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx,
 			int msg_buflen,
 			rawobj_t *token)
 {
-	struct krb5_ctx     *kctx = gctx->internal_ctx_id;
+	struct krb5_ctx *kctx = gctx->internal_ctx_id;
 	struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
-	struct krb5_header  *khdr;
-	int                  blocksize;
-	rawobj_t             cksum = RAWOBJ_EMPTY;
-	rawobj_t             data_desc[3], cipher;
-	__u8                 conf[GSS_MAX_CIPHER_BLOCK];
-	__u8                 local_iv[16] = {0};
+	struct krb5_header *khdr;
+	int blocksize;
+	rawobj_t cksum = RAWOBJ_EMPTY;
+	rawobj_t data_desc[3], cipher;
+	__u8 local_iv[16] = {0};
+	__u8 *conf = NULL;
 	u32 major;
-	int                  rc = 0;
+	int rc = 0;
 
 	LASSERT(ke);
 	LASSERT(ke->ke_conf_size <= GSS_MAX_CIPHER_BLOCK);
@@ -984,6 +984,10 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx,
 		ke->ke_conf_size >=
 		crypto_sync_skcipher_blocksize(kctx->kc_keye.kb_tfm));
 
+	OBD_ALLOC(conf, GSS_MAX_CIPHER_BLOCK);
+	if (!conf)
+		return GSS_S_FAILURE;
+
 	/*
 	 * final token format:
 	 * ---------------------------------------------------
@@ -1008,7 +1012,7 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx,
 
 	/* padding the message */
 	if (gss_add_padding(msg, msg_buflen, blocksize))
-		return GSS_S_FAILURE;
+		GOTO(out_free_conf, major = GSS_S_FAILURE);
 
 	/*
 	 * clear text layout for checksum:
@@ -1064,6 +1068,8 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx,
 	major = GSS_S_COMPLETE;
 out_free_cksum:
 	rawobj_free(&cksum);
+out_free_conf:
+	OBD_FREE(conf, GSS_MAX_CIPHER_BLOCK);
 	return major;
 }
 
-- 
1.8.3.1