Memory lieak in do_preauth

Scott T. scottt35 at hotmail.com
Thu Apr 10 17:15:30 EDT 2003 

MIT kerberos version 1.2.8: in preauth2.c, function krb5_do_preauth
[downloaded src]

It seems like the array returned by decode_krb5_etype is not freed on
success.  The caller releases only the first element and leaks the
rest of the array. I've added a little hack section of code to see
what would happen if I copied the memory I need and then freed the
array when the function exits. As it stands, this seems to work
against my test setups. I'm a little unsure if
my hack is a legitamate fix or is there some circumstance where my fix
will screw things up.  Any thoughts? regards, Scott T.


				
    /* first do all the informational preauths, then the first real
one */
	
    for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) {
		realdone = 0;
		for (i=0; in_padata[i] && !realdone; i++) {
		/*
		* This is really gross, but is necessary to prevent
		* lossge when talking to a 1.0.x KDC, which returns an
		* erroneous PA-PW-SALT when it returns a KRB-ERROR
		* requiring additional preauth.
			*/
			switch (in_padata[i]->pa_type) {
			case KRB5_PADATA_ETYPE_INFO:
				if (etype_info)
					continue;
				scratch.length = in_padata[i]->length;
				scratch.data = (char *) in_padata[i]->contents;
				ret = decode_krb5_etype_info(&scratch, &etype_info);
				if (ret) {
					if (out_pa_list) {
						out_pa_list[out_pa_list_size++] = NULL;
						krb5_free_pa_data(context, out_pa_list);
					}
					return ret;
				}
				if (etype_info[0] == NULL) {
					krb5_free_etype_info(context, etype_info);
					etype_info = NULL;
					break;
				}

				/* START HACK */
				salt->data = (char*)malloc(etype_info[0]->length); //todo: check
return
				memcpy(salt->data, (char*)etype_info[0]->salt,
etype_info[0]->length);
				salt->length = etype_info[0]->length;
				*etype = etype_info[0]->etype;
				/* STOP HACK */


				/*ORIGINAL CODE */
				//salt->data = (char *) etype_info[0]->salt;
				//salt->length = etype_info[0]->length;
				//*etype = etype_info[0]->etype;
#ifdef DEBUG
				for (j = 0; etype_info[j]; j++) {
					krb5_etype_info_entry *e = etype_info[j];
					fprintf (stderr, "etype info %d: etype %d salt len=%d",
						j, e->etype, e->length);
					if (e->length > 0)
						fprintf (stderr, " '%*s'", e->length, e->salt);
					fprintf (stderr, "\n");
				}
#endif
				break;
			case KRB5_PADATA_PW_SALT:
			case KRB5_PADATA_AFS3_SALT:
				if (etype_info)
					continue;
				break;
			default:
				;
			}

More information about the Kerberos mailing list