svn rev #24456: branches/krb5-1-9/src/ config/ lib/krb5/krb/

Fri Oct 15 16:42:24 EDT 2010

http://src.mit.edu/fisheye/changelog/krb5/?cs=24456
Commit By: tlyu
Log Message:
ticket: 6801
version_fixed: 1.9

pull up r24452, r24453, r24454 from trunk

 ------------------------------------------------------------------------
 r24454 | ghudson | 2010-10-13 13:20:36 -0400 (Wed, 13 Oct 2010) | 2 lines

 Whitespace.

 ------------------------------------------------------------------------
 r24453 | hartmans | 2010-10-12 21:19:20 -0400 (Tue, 12 Oct 2010) | 2 lines

 Adjust valgrind support to assume a modern valgrind that requires %p in log files.

 ------------------------------------------------------------------------
 r24452 | hartmans | 2010-10-12 21:19:14 -0400 (Tue, 12 Oct 2010) | 14 lines

 ticket: 6801
 target_version: 1.9
 Subject: Fix leaks in get_init_creds interface

 In Debian Bug 598032, Bastian Blank points out that there are two
 leaks in the get_init_creds interface:

 * Free ctx->request->padata after sending the KDC request so it is not
 overwritten the next time around the loop.

 * If options is NULL passed into krb5_get_init_creds_init, then set up
 a non-extended options structure so that krb5_get_init_creds_free will
 free the options.


Changed Files:
U   branches/krb5-1-9/src/config/pre.in
U   branches/krb5-1-9/src/lib/krb5/krb/get_in_tkt.c
Modified: branches/krb5-1-9/src/config/pre.in
===================================================================

--- branches/krb5-1-9/src/config/pre.in	2010-10-14 22:49:11 UTC (rev 24455)
+++ branches/krb5-1-9/src/config/pre.in	2010-10-15 20:42:23 UTC (rev 24456)
@@ -566,7 +566,7 @@
 # Need absolute paths here because under kshd or ftpd we may run programs
 # while in other directories.
 VALGRIND_LOGDIR = `cd $(BUILDTOP)&&pwd`
-VALGRIND1 = valgrind --tool=memcheck --log-file=$(VALGRIND_LOGDIR)/vg --trace-children=yes -v --leak-check=yes --suppressions=`cd $(top_srcdir)&&pwd`/util/valgrind-suppressions
+VALGRIND1 = valgrind --tool=memcheck --log-file=$(VALGRIND_LOGDIR)/vg.%p --trace-children=yes -v --leak-check=yes --suppressions=`cd $(top_srcdir)&&pwd`/util/valgrind-suppressions
 
 # Set OFFLINE=yes to disable tests that assume network connectivity.
 # (Specifically, this concerns the ability to fetch DNS data for

Modified: branches/krb5-1-9/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- branches/krb5-1-9/src/lib/krb5/krb/get_in_tkt.c	2010-10-14 22:49:11 UTC (rev 24455)
+++ branches/krb5-1-9/src/lib/krb5/krb/get_in_tkt.c	2010-10-15 20:42:23 UTC (rev 24456)
@@ -798,6 +798,7 @@
     int tmp;
     char *str = NULL;
     krb5_gic_opt_ext *opte;
+    krb5_get_init_creds_opt local_opts;
 
     TRACE_INIT_CREDS(context, client);
 
@@ -822,9 +823,14 @@
     ctx->start_time = start_time;
 
     if (options == NULL) {
-        code = krb5_get_init_creds_opt_alloc(context, &options);
-        if (code != 0)
-            goto cleanup;
+        /*
+         * We initialize a non-extended options because that way the shadowed
+         * flag will be sent and they will be freed when the init_creds context
+         * is freed. The options will be extended and copied off the stack into
+         * storage by opt_to_opte.
+         */
+        krb5_get_init_creds_opt_init(&local_opts);
+        options = &local_opts;
     }
 
     code = krb5int_gic_opt_to_opte(context, options,
@@ -1175,6 +1181,8 @@
         goto cleanup;
 
 cleanup:
+    krb5_free_pa_data(context, ctx->request->padata);
+    ctx->request->padata = NULL;
     return code;
 }
 


