svn rev #24722: trunk/src/kdc/

ghudson@MIT.EDU ghudson at MIT.EDU
Thu Mar 17 16:02:01 EDT 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=24722
Commit By: ghudson
Log Message:
ticket: 6884
subject: KDC memory leak in FAST error path
target_version: 1.9.1
tags: pullup

When kdc_fast_handle_error() produces a FAST-encoded error, it puts it
into err->e_data and it never gets freed (since in the non-FAST case,
err->e_data contains aliased pointers).  Fix this by storing the
encoded error in an output variable which is placed into the error's
e_data by the caller and then freed.



Changed Files:
U   trunk/src/kdc/do_as_req.c
U   trunk/src/kdc/do_tgs_req.c
U   trunk/src/kdc/fast_util.c
U   trunk/src/kdc/kdc_util.h
Modified: trunk/src/kdc/do_as_req.c
===================================================================
--- trunk/src/kdc/do_as_req.c	2011-03-17 14:14:12 UTC (rev 24721)
+++ trunk/src/kdc/do_as_req.c	2011-03-17 20:02:01 UTC (rev 24722)
@@ -688,7 +688,7 @@
 {
     krb5_error errpkt;
     krb5_error_code retval;
-    krb5_data *scratch;
+    krb5_data *scratch, *fast_edata = NULL;
     krb5_pa_data **pa = NULL;
     krb5_typed_data **td = NULL;
     size_t size;
@@ -747,9 +747,12 @@
         }
     }
     retval = kdc_fast_handle_error(kdc_context, rstate,
-                                   request, pa, &errpkt);
-    if (retval == 0)
+                                   request, pa, &errpkt, &fast_edata);
+    if (retval == 0) {
+        if (fast_edata != NULL)
+            errpkt.e_data = *fast_edata;
         retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+    }
 
     free(errpkt.text.data);
     if (retval)
@@ -757,6 +760,7 @@
     else
         *response = scratch;
     krb5_free_pa_data(kdc_context, pa);
+    krb5_free_data(kdc_context, fast_edata);
 
     return retval;
 }

Modified: trunk/src/kdc/do_tgs_req.c
===================================================================
--- trunk/src/kdc/do_tgs_req.c	2011-03-17 14:14:12 UTC (rev 24721)
+++ trunk/src/kdc/do_tgs_req.c	2011-03-17 20:02:01 UTC (rev 24722)
@@ -987,7 +987,7 @@
 {
     krb5_error errpkt;
     krb5_error_code retval = 0;
-    krb5_data *scratch;
+    krb5_data *scratch, *fast_edata = NULL;
 
     errpkt.ctime = request->nonce;
     errpkt.cusec = 0;
@@ -1010,15 +1010,20 @@
         return ENOMEM;
     }
     errpkt.e_data = *e_data;
-    if (state)
-        retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt);
+    if (state) {
+        retval = kdc_fast_handle_error(kdc_context, state, request, NULL,
+                                       &errpkt, &fast_edata);
+    }
     if (retval) {
         free(scratch);
         free(errpkt.text.data);
         return retval;
     }
+    if (fast_edata)
+        errpkt.e_data = *fast_edata;
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
+    krb5_free_data(kdc_context, fast_edata);
     if (retval)
         free(scratch);
     else

Modified: trunk/src/kdc/fast_util.c
===================================================================
--- trunk/src/kdc/fast_util.c	2011-03-17 14:14:12 UTC (rev 24721)
+++ trunk/src/kdc/fast_util.c	2011-03-17 20:02:01 UTC (rev 24722)
@@ -363,14 +363,15 @@
 /*
  * We assume the caller is responsible for passing us an in_padata
  * sufficient to include in a FAST error.  In the FAST case we will
- * throw away the e_data in the error (if any); in the non-FAST case
- * we will not use the in_padata.
+ * set *fast_edata_out to the edata to be included in the error; in
+ * the non-FAST case we will set it to NULL.
  */
 krb5_error_code
 kdc_fast_handle_error(krb5_context context,
                       struct kdc_request_state *state,
                       krb5_kdc_req *request,
-                      krb5_pa_data  **in_padata, krb5_error *err)
+                      krb5_pa_data  **in_padata, krb5_error *err,
+                      krb5_data **fast_edata_out)
 {
     krb5_error_code retval = 0;
     krb5_fast_response resp;
@@ -380,8 +381,8 @@
     krb5_pa_data *outer_pa[3], *cookie = NULL;
     krb5_pa_data **inner_pa = NULL;
     size_t size = 0;
-    krb5_data *encoded_e_data = NULL;
 
+    *fast_edata_out = NULL;
     memset(outer_pa, 0, sizeof(outer_pa));
     if (!state || !state->armor_key)
         return 0;
@@ -429,15 +430,7 @@
         pa[0].contents = (unsigned char *) encrypted_reply->data;
         outer_pa[0] = &pa[0];
     }
-    retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data);
-    if (retval == 0) {
-        /*process_as holds onto a pointer to the original e_data and frees it*/
-        err->e_data = *encoded_e_data;
-        free(encoded_e_data); /*contents belong to err*/
-        encoded_e_data = NULL;
-    }
-    if (encoded_e_data)
-        krb5_free_data(kdc_context, encoded_e_data);
+    retval = encode_krb5_padata_sequence(outer_pa, fast_edata_out);
     if (encrypted_reply)
         krb5_free_data(kdc_context, encrypted_reply);
     if (encoded_fx_error)

Modified: trunk/src/kdc/kdc_util.h
===================================================================
--- trunk/src/kdc/kdc_util.h	2011-03-17 14:14:12 UTC (rev 24721)
+++ trunk/src/kdc/kdc_util.h	2011-03-17 20:02:01 UTC (rev 24722)
@@ -354,7 +354,8 @@
 kdc_fast_handle_error (krb5_context context,
                        struct kdc_request_state *state,
                        krb5_kdc_req *request,
-                       krb5_pa_data  **in_padata, krb5_error *err);
+                       krb5_pa_data  **in_padata, krb5_error *err,
+                       krb5_data **fast_edata_out);
 
 krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state,
                                           krb5_keyblock *existing_key,

More information about the cvs-krb5 mailing list