GHSL-2023-010: Memory leak when parsing usernames

Memory leak when parsing usernames (GHSL-2023-010)

Fixes defect GHSL-2023-010 found by the GitHub Security Lab team via
oss-fuzz.

The domain portion may be overridden causing an allocated memory area
the size of the domain name to be lost. This could be used to mount a
DoS by depleeting the server memory.

Signed-off-by: Simo Sorce <simo@redhat.com>

Author: simo5

src/gss_names.c

@@ -136,7 +136,6 @@ static uint32_t parse_user_name(uint32_t *minor_status,
         /* we may have an enterprise name here */
         char strbuf[len + 1];
         char *buf = strbuf;
-        bool domain_handled = false;
 
         /* copy buf to manipulate it */
         memcpy(buf, str, len);
@@ -160,9 +159,6 @@ static uint32_t parse_user_name(uint32_t *minor_status,
         }
 
         if (sep) {
-            /* leading domain, copy if domain name is not empty */
-            domain_handled = true;
-
             /* terminate and copy domain, even if empty */
             /* NOTE: this is important for the Windbind integration case
              * where we need to tell the machinery to *not* add the default
@@ -180,7 +176,7 @@ static uint32_t parse_user_name(uint32_t *minor_status,
 
         for (at = strchr(buf, '@'); at != NULL; at = strchr(at, '@')) {
             if (*(at - 1) == '\\') {
-                if (domain_handled) {
+                if (*domain) {
                     /* Invalid forms like DOM\foo\@bar or foo@bar\@baz */
                     free(*domain);
                     *domain = NULL;
@@ -189,7 +185,7 @@ static uint32_t parse_user_name(uint32_t *minor_status,
                 }
                 /* remove escape, moving all including terminating '\0' */
                 memmove(at - 1, at, len - (at - buf) + 1);
-            } else if (!domain_handled) {
+            } else if (!*domain) {
                 /* an '@' without escape and no previous
                  * domain was split out.
                  * the rest of the string is the domain */