krb5 commit: Fix KDC encrypting key memory leak on some errors
Greg Hudson
ghudson at mit.edu
Fri Mar 2 11:46:31 EST 2018
https://github.com/krb5/krb5/commit/1bcf2742d504a22b7354251bbc1e19c3dacd95f3
commit 1bcf2742d504a22b7354251bbc1e19c3dacd95f3
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Feb 27 11:56:58 2018 -0500
Fix KDC encrypting key memory leak on some errors
Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d separated the
allocation and destruction of encrypting_key, causing it to leak when
any of the intervening calls jump to the cleanup label. Currently the
leak manifests on transited or authdata failures. Move encrypting_key
destruction to the cleanup label so that it can't leak. Reported by
anedvedicky at gmail.com.
ticket: 8645 (new)
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
src/kdc/do_tgs_req.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index cc5a692..fca01db 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -144,6 +144,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
memset(&reply_encpart, 0, sizeof(reply_encpart));
memset(&ticket_reply, 0, sizeof(ticket_reply));
memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
+ memset(&encrypting_key, 0, sizeof(encrypting_key));
session_key.contents = NULL;
retval = decode_krb5_tgs_req(pkt, &request);
@@ -719,8 +720,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
&ticket_reply);
- if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
- krb5_free_keyblock_contents(kdc_context, &encrypting_key);
if (errcode)
goto cleanup;
ticket_reply.enc_part.kvno = ticket_kvno;
@@ -810,6 +809,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
cleanup:
if (status == NULL)
status = "UNKNOWN_REASON";
+ if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
+ krb5_free_keyblock_contents(kdc_context, &encrypting_key);
if (reply_key)
krb5_free_keyblock(kdc_context, reply_key);
if (errcode)
More information about the cvs-krb5
mailing list