svn rev #24949: branches/krb5-1-9/src/kdc/
tlyu@MIT.EDU
tlyu at MIT.EDU
Thu Jun 9 17:08:34 EDT 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=24949
Commit By: tlyu
Log Message:
ticket: 6884
version_fixed: 1.9.2
status: resolved
pull up r24722 from trunk
------------------------------------------------------------------------
r24722 | ghudson | 2011-03-17 16:02:01 -0400 (Thu, 17 Mar 2011) | 11 lines
ticket: 6884
subject: KDC memory leak in FAST error path
target_version: 1.9.1
tags: pullup
When kdc_fast_handle_error() produces a FAST-encoded error, it puts it
into err->e_data and it never gets freed (since in the non-FAST case,
err->e_data contains aliased pointers). Fix this by storing the
encoded error in an output variable which is placed into the error's
e_data by the caller and then freed.
Changed Files:
U branches/krb5-1-9/src/kdc/do_as_req.c
U branches/krb5-1-9/src/kdc/do_tgs_req.c
U branches/krb5-1-9/src/kdc/fast_util.c
U branches/krb5-1-9/src/kdc/kdc_util.h
Modified: branches/krb5-1-9/src/kdc/do_as_req.c
===================================================================
--- branches/krb5-1-9/src/kdc/do_as_req.c 2011-06-09 21:08:27 UTC (rev 24948)
+++ branches/krb5-1-9/src/kdc/do_as_req.c 2011-06-09 21:08:34 UTC (rev 24949)
@@ -689,7 +689,7 @@
{
krb5_error errpkt;
krb5_error_code retval;
- krb5_data *scratch;
+ krb5_data *scratch, *fast_edata = NULL;
krb5_pa_data **pa = NULL;
krb5_typed_data **td = NULL;
size_t size;
@@ -748,9 +748,12 @@
}
}
retval = kdc_fast_handle_error(kdc_context, rstate,
- request, pa, &errpkt);
- if (retval == 0)
+ request, pa, &errpkt, &fast_edata);
+ if (retval == 0) {
+ if (fast_edata != NULL)
+ errpkt.e_data = *fast_edata;
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+ }
free(errpkt.text.data);
if (retval)
@@ -758,6 +761,7 @@
else
*response = scratch;
krb5_free_pa_data(kdc_context, pa);
+ krb5_free_data(kdc_context, fast_edata);
return retval;
}
Modified: branches/krb5-1-9/src/kdc/do_tgs_req.c
===================================================================
--- branches/krb5-1-9/src/kdc/do_tgs_req.c 2011-06-09 21:08:27 UTC (rev 24948)
+++ branches/krb5-1-9/src/kdc/do_tgs_req.c 2011-06-09 21:08:34 UTC (rev 24949)
@@ -991,7 +991,7 @@
{
krb5_error errpkt;
krb5_error_code retval = 0;
- krb5_data *scratch;
+ krb5_data *scratch, *fast_edata = NULL;
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
@@ -1014,15 +1014,20 @@
return ENOMEM;
}
errpkt.e_data = *e_data;
- if (state)
- retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt);
+ if (state) {
+ retval = kdc_fast_handle_error(kdc_context, state, request, NULL,
+ &errpkt, &fast_edata);
+ }
if (retval) {
free(scratch);
free(errpkt.text.data);
return retval;
}
+ if (fast_edata)
+ errpkt.e_data = *fast_edata;
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
+ krb5_free_data(kdc_context, fast_edata);
if (retval)
free(scratch);
else
Modified: branches/krb5-1-9/src/kdc/fast_util.c
===================================================================
--- branches/krb5-1-9/src/kdc/fast_util.c 2011-06-09 21:08:27 UTC (rev 24948)
+++ branches/krb5-1-9/src/kdc/fast_util.c 2011-06-09 21:08:34 UTC (rev 24949)
@@ -364,14 +364,15 @@
/*
* We assume the caller is responsible for passing us an in_padata
* sufficient to include in a FAST error. In the FAST case we will
- * throw away the e_data in the error (if any); in the non-FAST case
- * we will not use the in_padata.
+ * set *fast_edata_out to the edata to be included in the error; in
+ * the non-FAST case we will set it to NULL.
*/
krb5_error_code
kdc_fast_handle_error(krb5_context context,
struct kdc_request_state *state,
krb5_kdc_req *request,
- krb5_pa_data **in_padata, krb5_error *err)
+ krb5_pa_data **in_padata, krb5_error *err,
+ krb5_data **fast_edata_out)
{
krb5_error_code retval = 0;
krb5_fast_response resp;
@@ -381,8 +382,8 @@
krb5_pa_data *outer_pa[3], *cookie = NULL;
krb5_pa_data **inner_pa = NULL;
size_t size = 0;
- krb5_data *encoded_e_data = NULL;
+ *fast_edata_out = NULL;
memset(outer_pa, 0, sizeof(outer_pa));
if (!state || !state->armor_key)
return 0;
@@ -430,15 +431,7 @@
pa[0].contents = (unsigned char *) encrypted_reply->data;
outer_pa[0] = &pa[0];
}
- retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data);
- if (retval == 0) {
- /*process_as holds onto a pointer to the original e_data and frees it*/
- err->e_data = *encoded_e_data;
- free(encoded_e_data); /*contents belong to err*/
- encoded_e_data = NULL;
- }
- if (encoded_e_data)
- krb5_free_data(kdc_context, encoded_e_data);
+ retval = encode_krb5_padata_sequence(outer_pa, fast_edata_out);
if (encrypted_reply)
krb5_free_data(kdc_context, encrypted_reply);
if (encoded_fx_error)
Modified: branches/krb5-1-9/src/kdc/kdc_util.h
===================================================================
--- branches/krb5-1-9/src/kdc/kdc_util.h 2011-06-09 21:08:27 UTC (rev 24948)
+++ branches/krb5-1-9/src/kdc/kdc_util.h 2011-06-09 21:08:34 UTC (rev 24949)
@@ -355,7 +355,8 @@
kdc_fast_handle_error (krb5_context context,
struct kdc_request_state *state,
krb5_kdc_req *request,
- krb5_pa_data **in_padata, krb5_error *err);
+ krb5_pa_data **in_padata, krb5_error *err,
+ krb5_data **fast_edata_out);
krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state,
krb5_keyblock *existing_key,
More information about the cvs-krb5
mailing list