chore(NODE-3500): clean up various bugs and memory leaks (#135)

Author: addaleax

src/kerberos_common.h

@@ -1,5 +1,5 @@
-#ifndef COMMON_H
-#define COMMON_H
+#ifndef KERBEROS_COMMON_H
+#define KERBEROS_COMMON_H
 
 #include <nan.h>
 
@@ -17,11 +17,6 @@ typedef sspi_server_state krb_server_state;
 typedef sspi_result krb_result;
 #endif
 
-// Provide a default custom delter for the `gss_result` type
-inline void ResultDeleter(krb_result* result) {
-  free(result);
-}
-
 // Useful methods for optional value handling
 NAN_INLINE std::string StringOptionValue(v8::Local<v8::Object> options, const char* _key) {
     Nan::HandleScope scope;

src/kerberos_worker.h

@@ -1,5 +1,5 @@
-#ifndef ASYNC_WORKER_H
-#define ASYNC_WORKER_H
+#ifndef KERBEROS_ASYNC_WORKER_H
+#define KERBEROS_ASYNC_WORKER_H
 
 #include <functional>
 #include <nan.h>

src/unix/base64.cc

@@ -20,8 +20,8 @@
 #include <string.h>
 
 // base64 tables
-static char basis_64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-static signed char index_64[128] = {
+static const char basis_64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+static const signed char index_64[128] = {
     -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
     -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62,
     -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0,

src/unix/kerberos_gss.cc

@@ -28,10 +28,10 @@
 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
 #endif
 
-static gss_result* gss_success_result(int ret);
-static gss_result* gss_error_result(OM_uint32 err_maj, OM_uint32 err_min);
-static gss_result* gss_error_result_with_message(const char* message);
-static gss_result* gss_error_result_with_message_and_code(const char* mesage, int code);
+static gss_result gss_success_result(int ret);
+static gss_result gss_error_result(OM_uint32 err_maj, OM_uint32 err_min);
+static gss_result gss_error_result_with_message(const char* message);
+static gss_result gss_error_result_with_message_and_code(const char* mesage, int code);
 
 gss_client_state* gss_client_state_new() {
     gss_client_state* state = (gss_client_state*)malloc(sizeof(gss_client_state));
@@ -53,11 +53,11 @@ gss_server_state* gss_server_state_new() {
     return state;
 }
 
-gss_result* server_principal_details(const char* service, const char* hostname) {
+gss_result server_principal_details(const char* service, const char* hostname) {
     char match[1024];
     size_t match_len = 0;
-    char* details = NULL;
-    gss_result* result = NULL;
+    std::string details;
+    gss_result result {};
 
     int code;
     krb5_context kcontext;
@@ -96,8 +96,7 @@ gss_result* server_principal_details(const char* service, const char* hostname)
         }
 
         if (strncmp(pname, match, match_len) == 0) {
-            details = (char*)malloc(strlen(pname) + 1);
-            strcpy(details, pname);
+            details = pname;
             krb5_free_unparsed_name(kcontext, pname);
             krb5_free_keytab_entry_contents(kcontext, &entry);
             break;
@@ -107,11 +106,11 @@ gss_result* server_principal_details(const char* service, const char* hostname)
         krb5_free_keytab_entry_contents(kcontext, &entry);
     }
 
-    if (details == NULL) {
+    if (details.empty()) {
         result = gss_error_result_with_message_and_code("Principal not found in keytab", -1);
     } else {
         result = gss_success_result(AUTH_GSS_COMPLETE);
-        result->data = details;
+        result.data = std::move(details);
     }
 end:
     if (cursor)
@@ -123,7 +122,7 @@ gss_result* server_principal_details(const char* service, const char* hostname)
     return result;
 }
 
-gss_result* authenticate_gss_client_init(const char* service,
+gss_result authenticate_gss_client_init(const char* service,
                                          const char* principal,
                                          long int gss_flags,
                                          gss_server_state* delegatestate,
@@ -133,7 +132,7 @@ gss_result* authenticate_gss_client_init(const char* service,
     OM_uint32 min_stat;
     gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
     gss_buffer_desc principal_token = GSS_C_EMPTY_BUFFER;
-    gss_result* ret = NULL;
+    gss_result ret {};
 
     state->server_name = GSS_C_NO_NAME;
     state->mech_oid = mech_oid;
@@ -218,14 +217,14 @@ int authenticate_gss_client_clean(gss_client_state* state) {
     return ret;
 }
 
-gss_result* authenticate_gss_client_step(gss_client_state* state,
+gss_result authenticate_gss_client_step(gss_client_state* state,
                                          const char* challenge,
                                          struct gss_channel_bindings_struct* channel_bindings) {
     OM_uint32 maj_stat;
     OM_uint32 min_stat;
     gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
     gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
-    gss_result* ret = NULL;
+    gss_result ret {};
     int temp_ret = AUTH_GSS_CONTINUE;
 
     // Always clear out the old response
@@ -330,13 +329,13 @@ gss_result* authenticate_gss_client_step(gss_client_state* state,
     return ret;
 }
 
-gss_result* authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge) {
+gss_result authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge) {
     OM_uint32 maj_stat;
     OM_uint32 min_stat;
     gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
     gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
     int conf = 0;
-    gss_result* ret = NULL;
+    gss_result ret {};
 
     // Always clear out the old response
     if (state->response != NULL) {
@@ -378,7 +377,7 @@ gss_result* authenticate_gss_client_unwrap(gss_client_state* state, const char*
     return ret;
 }
 
-gss_result* authenticate_gss_client_wrap(gss_client_state* state,
+gss_result authenticate_gss_client_wrap(gss_client_state* state,
                                          const char* challenge,
                                          const char* user,
                                          int protect) {
@@ -388,7 +387,7 @@ gss_result* authenticate_gss_client_wrap(gss_client_state* state,
     gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
     char buf[4096];
     unsigned long buf_size;
-    gss_result* ret = NULL;
+    gss_result ret {};
 
     // Always clear out the old response
     if (state->response != NULL) {
@@ -422,9 +421,10 @@ gss_result* authenticate_gss_client_wrap(gss_client_state* state,
         memcpy(buf, &buf_size, 4);
         buf[0] = GSS_AUTH_P_NONE;
         // server decides if principal can log in as user
-        strncpy(buf + 4, user, sizeof(buf) - 4);
+        strncpy(buf + 4, user, sizeof(buf) - 5);
+        buf[sizeof(buf) - 1] = '\0';
         input_token.value = buf;
-        input_token.length = 4 + strlen(user);
+        input_token.length = 4 + strlen(buf + 4);
     }
 
     // Do GSSAPI wrap
@@ -455,12 +455,12 @@ gss_result* authenticate_gss_client_wrap(gss_client_state* state,
     return ret;
 }
 
-gss_result* authenticate_gss_server_init(const char* service, gss_server_state* state) {
+gss_result authenticate_gss_server_init(const char* service, gss_server_state* state) {
     OM_uint32 maj_stat;
     OM_uint32 min_stat;
     size_t service_len;
     gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
-    gss_result* ret = NULL;
+    gss_result ret {};
 
     state->context = GSS_C_NO_CONTEXT;
     state->server_name = GSS_C_NO_NAME;
@@ -537,14 +537,14 @@ int authenticate_gss_server_clean(gss_server_state* state) {
     return ret;
 }
 
-gss_result* authenticate_gss_server_step(gss_server_state* state, const char* challenge) {
+gss_result authenticate_gss_server_step(gss_server_state* state, const char* challenge) {
     OM_uint32 maj_stat;
     OM_uint32 min_stat;
     gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
     gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
     gss_name_t target_name = GSS_C_NO_NAME;
     // int ret = AUTH_GSS_CONTINUE;
-    gss_result* ret = NULL;
+    gss_result ret {};
 
     // Always clear out the old response
     if (state->response != NULL) {
@@ -632,15 +632,15 @@ gss_result* authenticate_gss_server_step(gss_server_state* state, const char* ch
     return ret;
 }
 
-gss_result* authenticate_user_krb5pwd(const char* user,
+gss_result authenticate_user_krb5pwd(const char* user,
                                       const char* pswd,
                                       const char* service,
                                       const char* default_realm) {
     krb5_context kcontext = NULL;
     krb5_error_code code;
     krb5_principal client = NULL;
     krb5_principal server = NULL;
-    gss_result* result = NULL;
+    gss_result result {};
     int ret = 0;
     char* name = NULL;
     char* p = NULL;
@@ -727,58 +727,53 @@ gss_result* authenticate_user_krb5pwd(const char* user,
     return result;
 }
 
-static gss_result* gss_success_result(int ret) {
-    gss_result* result = (gss_result*)malloc(sizeof(gss_result));
-    result->code = ret;
-    result->message = NULL;
-    return result;
+static gss_result gss_success_result(int ret) {
+    return { ret, "", "" };
 }
 
-static gss_result* gss_error_result(OM_uint32 err_maj, OM_uint32 err_min) {
+static gss_result gss_error_result(OM_uint32 err_maj, OM_uint32 err_min) {
     OM_uint32 maj_stat, min_stat;
     OM_uint32 msg_ctx = 0;
     gss_buffer_desc status_string;
-    char buf_maj[512];
-    char buf_min[512];
-    gss_result* result;
+    std::string buf_maj;
+    std::string buf_min;
 
     do {
         maj_stat = gss_display_status(
             &min_stat, err_maj, GSS_C_GSS_CODE, GSS_C_NO_OID, &msg_ctx, &status_string);
         if (GSS_ERROR(maj_stat))
             break;
-        strncpy(buf_maj, (char*)status_string.value, sizeof(buf_maj));
+        buf_maj = (char*)status_string.value;
         gss_release_buffer(&min_stat, &status_string);
 
         maj_stat = gss_display_status(
             &min_stat, err_min, GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
         if (!GSS_ERROR(maj_stat)) {
-            strncpy(buf_min, (char*)status_string.value, sizeof(buf_min));
-            gss_release_buffer(&min_stat, &status_string);
+            buf_min = (char*)status_string.value;
         }
     } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
 
-    result = (gss_result*)malloc(sizeof(gss_result));
-    result->code = AUTH_GSS_ERROR;
-    result->message = (char*)malloc(sizeof(char) * 1024 + 2);
-    sprintf(result->message, "%s: %s", buf_maj, buf_min);
-
-    return result;
+    return {
+        AUTH_GSS_ERROR,
+        buf_maj + ": " + buf_min,
+        ""
+    };
 }
 
-static gss_result* gss_error_result_with_message(const char* message) {
-    gss_result* result = (gss_result*)malloc(sizeof(gss_result));
-    result->code = AUTH_GSS_ERROR;
-    result->message = strdup(message);
-    return result;
+static gss_result gss_error_result_with_message(const char* message) {
+    return {
+        AUTH_GSS_ERROR,
+        message,
+        ""
+    };
 }
 
-static gss_result* gss_error_result_with_message_and_code(const char* message, int code) {
-    gss_result* result = (gss_result*)malloc(sizeof(gss_result));
-    result->code = AUTH_GSS_ERROR;
-    result->message = (char*)malloc(strlen(message) + 20);
-    sprintf(result->message, "%s (%d)", message, code);
-    return result;
+static gss_result gss_error_result_with_message_and_code(const char* message, int code) {
+    return {
+        AUTH_GSS_ERROR,
+        std::string(message) + " (" + std::to_string(code) + ")",
+        ""
+    };
 }
 
 #if defined(__clang__)

src/unix/kerberos_gss.h

@@ -14,13 +14,20 @@
  * limitations under the License.
  **/
 
+#ifndef KERBEROS_GSS_H
+#define KERBEROS_GSS_H
+
 extern "C" {
     #include <gssapi/gssapi.h>
     #include <gssapi/gssapi_generic.h>
     #include <gssapi/gssapi_krb5.h>
 }
 
-#define krb5_get_err_text(context, code) error_message(code)
+#include <string>
+
+inline const char* krb5_get_err_text(const krb5_context&, krb5_error_code code) {
+    return error_message(code);
+}
 
 #define AUTH_GSS_ERROR -1
 #define AUTH_GSS_COMPLETE 1
@@ -32,8 +39,8 @@ extern "C" {
 
 typedef struct {
     int code;
-    char* message;
-    char* data;
+    std::string message;
+    std::string data;
 } gss_result;
 
 typedef struct {
@@ -63,29 +70,31 @@ typedef struct {
 gss_client_state* gss_client_state_new();
 gss_server_state* gss_server_state_new();
 
-gss_result* server_principal_details(const char* service, const char* hostname);
+gss_result server_principal_details(const char* service, const char* hostname);
 
-gss_result* authenticate_gss_client_init(const char* service,
-                                         const char* principal,
-                                         long int gss_flags,
-                                         gss_server_state* delegatestate,
-                                         gss_OID mech_oid,
-                                         gss_client_state* state);
+gss_result authenticate_gss_client_init(const char* service,
+                                        const char* principal,
+                                        long int gss_flags,
+                                        gss_server_state* delegatestate,
+                                        gss_OID mech_oid,
+                                        gss_client_state* state);
 
 int authenticate_gss_client_clean(gss_client_state* state);
-gss_result* authenticate_gss_client_step(gss_client_state* state,
-                                         const char* challenge,
-                                         struct gss_channel_bindings_struct* channel_bindings);
-gss_result* authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge);
-gss_result* authenticate_gss_client_wrap(gss_client_state* state,
-                                         const char* challenge,
-                                         const char* user,
-                                         int protect);
-gss_result* authenticate_gss_server_init(const char* service, gss_server_state* state);
+gss_result authenticate_gss_client_step(gss_client_state* state,
+                                        const char* challenge,
+                                        struct gss_channel_bindings_struct* channel_bindings);
+gss_result authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge);
+gss_result authenticate_gss_client_wrap(gss_client_state* state,
+                                        const char* challenge,
+                                        const char* user,
+                                        int protect);
+gss_result authenticate_gss_server_init(const char* service, gss_server_state* state);
 int authenticate_gss_server_clean(gss_server_state* state);
-gss_result* authenticate_gss_server_step(gss_server_state* state, const char* challenge);
+gss_result authenticate_gss_server_step(gss_server_state* state, const char* challenge);
+
+gss_result authenticate_user_krb5pwd(const char* user,
+                                     const char* pswd,
+                                     const char* service,
+                                     const char* default_realm);
 
-gss_result* authenticate_user_krb5pwd(const char* user,
-                                      const char* pswd,
-                                      const char* service,
-                                      const char* default_realm);
+#endif