Add a new stack var to hold the flags returned by the decoder routine
so that we don't need to worry so much about preserving "rc".
With this, we can drop privs before trying to find the location of
the credcache.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
decode_key_description(const char *desc, struct decoded_args *arg)
{
int retval = 0;
decode_key_description(const char *desc, struct decoded_args *arg)
{
int retval = 0;
DATA_BLOB sess_key = data_blob_null;
key_serial_t key = 0;
size_t datalen;
DATA_BLOB sess_key = data_blob_null;
key_serial_t key = 0;
size_t datalen;
long rc = 1;
int c;
char *buf, *princ, *ccname = NULL;
long rc = 1;
int c;
char *buf, *princ, *ccname = NULL;
- rc = decode_key_description(buf, &arg);
- if ((rc & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
+ have = decode_key_description(buf, &arg);
+ SAFE_FREE(buf);
+ if ((have & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
syslog(LOG_ERR, "unable to get necessary params from key "
syslog(LOG_ERR, "unable to get necessary params from key "
- "description (0x%x)", rc);
+ "description (0x%x)", have);
if (arg.ver > CIFS_SPNEGO_UPCALL_VERSION) {
syslog(LOG_ERR, "incompatible kernel upcall version: 0x%x",
if (arg.ver > CIFS_SPNEGO_UPCALL_VERSION) {
syslog(LOG_ERR, "incompatible kernel upcall version: 0x%x",
- if (rc & DKD_HAVE_PID)
- ccname = get_krb5_ccname(arg.pid);
-
- if (rc & DKD_HAVE_UID) {
+ if (have & DKD_HAVE_UID) {
rc = setuid(arg.uid);
if (rc == -1) {
syslog(LOG_ERR, "setuid: %s", strerror(errno));
rc = setuid(arg.uid);
if (rc == -1) {
syslog(LOG_ERR, "setuid: %s", strerror(errno));
+ if (have & DKD_HAVE_PID)
+ ccname = get_krb5_ccname(arg.pid);
+
// do mech specific authorization
switch (arg.sec) {
case MS_KRB5:
// do mech specific authorization
switch (arg.sec) {
case MS_KRB5: