7 files changed, 15 insertions, 26 deletions

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 6ecd29bf34..4dd809856c 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1038,7 +1038,6 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
 }
 
 static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security, 
-					    TALLOC_CTX *mem_ctx, 
 					    uint8_t *data, size_t length, 
 					    const uint8_t *whole_pdu, size_t pdu_length,
 					    const DATA_BLOB *sig)
@@ -1053,7 +1052,7 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
 
 	dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
 
-	in = data_blob_talloc(mem_ctx, NULL, sig->length + length);
+	in = data_blob_talloc(gensec_security, NULL, sig->length + length);
 
 	memcpy(in.data, sig->data, sig->length);
 	memcpy(in.data + sig->length, data, length);
@@ -1067,9 +1066,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
 			      &output_token, 
 			      &conf_state,
 			      &qop_state);
+	talloc_free(in.data);
 	if (GSS_ERROR(maj_stat)) {
+		char *error_string = gssapi_error_string(NULL, maj_stat, min_stat, gensec_gssapi_state->gss_oid);
 		DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n", 
-			  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+			  error_string));
+		talloc_free(error_string);
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
@@ -1128,7 +1130,6 @@ static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_securit
 }
 
 static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security, 
-					   TALLOC_CTX *mem_ctx, 
 					   const uint8_t *data, size_t length, 
 					   const uint8_t *whole_pdu, size_t pdu_length, 
 					   const DATA_BLOB *sig)
@@ -1159,8 +1160,10 @@ static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_securi
 			      &input_token,
 			      &qop_state);
 	if (GSS_ERROR(maj_stat)) {
-		DEBUG(1, ("GSS VerifyMic failed: %s\n",
-			  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+		char *error_string = gssapi_error_string(NULL, maj_stat, min_stat, gensec_gssapi_state->gss_oid);
+		DEBUG(1, ("GSS VerifyMic failed: %s\n", error_string));
+		talloc_free(error_string);
+
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index 2e3f0219e9..8f9aa921a9 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -290,7 +290,6 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
   unseal a packet
 */
 static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
-				       TALLOC_CTX *mem_ctx,
 				       uint8_t *data, size_t length,
 				       const uint8_t *whole_pdu, size_t pdu_length,
 				       const DATA_BLOB *sig)
@@ -299,7 +298,7 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
 		talloc_get_type(gensec_security->private_data,
 				struct schannel_state);
 
-	return netsec_incoming_packet(state, mem_ctx, true,
+	return netsec_incoming_packet(state, true,
 				      discard_const_p(uint8_t, data),
 				      length, sig);
 }
@@ -308,7 +307,6 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
   check the signature on a packet
 */
 static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
-				      TALLOC_CTX *mem_ctx,
 				      const uint8_t *data, size_t length,
 				      const uint8_t *whole_pdu, size_t pdu_length,
 				      const DATA_BLOB *sig)
@@ -317,7 +315,7 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
 		talloc_get_type(gensec_security->private_data,
 				struct schannel_state);
 
-	return netsec_incoming_packet(state, mem_ctx, false,
+	return netsec_incoming_packet(state, false,
 				      discard_const_p(uint8_t, data),
 				      length, sig);
 }
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 3611d31a23..c48e87e8b5 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -96,7 +96,6 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
   wrappers for the spnego_*() functions
 */
 static NTSTATUS gensec_spnego_unseal_packet(struct gensec_security *gensec_security, 
-					    TALLOC_CTX *mem_ctx, 
 					    uint8_t *data, size_t length, 
 					    const uint8_t *whole_pdu, size_t pdu_length, 
 					    const DATA_BLOB *sig)
@@ -109,14 +108,12 @@ static NTSTATUS gensec_spnego_unseal_packet(struct gensec_security *gensec_secur
 	}
 	
 	return gensec_unseal_packet(spnego_state->sub_sec_security, 
-				    mem_ctx, 
 				    data, length, 
 				    whole_pdu, pdu_length,
 				    sig); 
 }
 
 static NTSTATUS gensec_spnego_check_packet(struct gensec_security *gensec_security, 
-					   TALLOC_CTX *mem_ctx, 
 					   const uint8_t *data, size_t length, 
 					   const uint8_t *whole_pdu, size_t pdu_length, 
 					   const DATA_BLOB *sig)
@@ -129,7 +126,6 @@ static NTSTATUS gensec_spnego_check_packet(struct gensec_security *gensec_securi
 	}
 	
 	return gensec_check_packet(spnego_state->sub_sec_security, 
-				   mem_ctx, 
 				   data, length, 
 				   whole_pdu, pdu_length,
 				   sig);
@@ -922,7 +918,6 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 		if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) {
 			new_spnego = true;
 			nt_status = gensec_check_packet(spnego_state->sub_sec_security,
-							out_mem_ctx,
 							spnego_state->mech_types.data,
 							spnego_state->mech_types.length,
 							spnego_state->mech_types.data,
@@ -1029,7 +1024,6 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			}
 			if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) {
 				nt_status = gensec_check_packet(spnego_state->sub_sec_security,
-								out_mem_ctx,
 								spnego_state->mech_types.data,
 								spnego_state->mech_types.length,
 								spnego_state->mech_types.data,
diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c
index 95466b0407..72cd1549fe 100644
--- a/source4/auth/ntlmssp/ntlmssp_sign.c
+++ b/source4/auth/ntlmssp/ntlmssp_sign.c
@@ -45,7 +45,6 @@ NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security,
 }
 
 NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
-				     TALLOC_CTX *sig_mem_ctx,
 				     const uint8_t *data, size_t length,
 				     const uint8_t *whole_pdu, size_t pdu_length,
 				     const DATA_BLOB *sig)
@@ -87,7 +86,6 @@ NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
   wrappers for the ntlmssp_*() functions
 */
 NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
-				      TALLOC_CTX *sig_mem_ctx,
 				      uint8_t *data, size_t length,
 				      const uint8_t *whole_pdu, size_t pdu_length,
 				      const DATA_BLOB *sig)
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 110da57c93..496cc0b2a6 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -708,7 +708,6 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
 	switch (c->security_state.auth_info->auth_level) {
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 		status = gensec_unseal_packet(c->security_state.generic_state, 
-					      mem_ctx, 
 					      raw_packet->data + DCERPC_REQUEST_LENGTH,
 					      pkt->u.response.stub_and_verifier.length, 
 					      raw_packet->data,
@@ -721,7 +720,6 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
 		
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
 		status = gensec_check_packet(c->security_state.generic_state, 
-					     mem_ctx, 
 					     pkt->u.response.stub_and_verifier.data, 
 					     pkt->u.response.stub_and_verifier.length, 
 					     raw_packet->data,
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 1e6aa24c82..0802cd4323 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -328,7 +328,6 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
 	switch (dce_conn->auth_state.auth_info->auth_level) {
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 		status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
-					      call,
 					      full_packet->data + hdr_size,
 					      pkt->u.request.stub_and_verifier.length, 
 					      full_packet->data,
@@ -341,7 +340,6 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
 
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
 		status = gensec_check_packet(dce_conn->auth_state.gensec_security,
-					     call,
 					     pkt->u.request.stub_and_verifier.data, 
 					     pkt->u.request.stub_and_verifier.length,
 					     full_packet->data,
diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c
index 93529eeb1d..c98985c97c 100644
--- a/source4/torture/auth/ntlmssp.c
+++ b/source4/torture/auth/ntlmssp.c
@@ -78,14 +78,14 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx)
 				   "data mismatch");
 
 	torture_assert_ntstatus_equal(tctx, 
-				      gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+				      gensec_ntlmssp_check_packet(gensec_security,
 								  data.data, data.length, data.data, data.length, &sig),
 				      NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)");
 
 	ntlmssp_state->session_key = data_blob(NULL, 0);
 
 	torture_assert_ntstatus_equal(tctx, 
-				      gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+				      gensec_ntlmssp_check_packet(gensec_security,
 								  data.data, data.length, data.data, data.length, &sig),
 				      NT_STATUS_NO_USER_SESSION_KEY, "Check of just signed packet without a session key should fail");
 
@@ -135,14 +135,14 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx)
 				   "data mismatch");
 
 	torture_assert_ntstatus_equal(tctx, 
-				      gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+				      gensec_ntlmssp_check_packet(gensec_security,
 								  data.data, data.length, data.data, data.length, &sig),
 				      NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)");
 
 	sig.length /= 2;
 
 	torture_assert_ntstatus_equal(tctx, 
-				      gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+				      gensec_ntlmssp_check_packet(gensec_security,
 								  data.data, data.length, data.data, data.length, &sig),
 				      NT_STATUS_ACCESS_DENIED, "Check of just signed packet with short sig");