Memory leaks in krb5?

Tom Yu tlyu at MIT.EDU
Mon Sep 20 22:24:04 EDT 2004


>>>>> "schommer" == Derrick Schommer <schommer at gmail.com> writes:

schommer> Its only 28 blocks, but if I repeat the authentication over
schommer> and over it grows quickly.  It seems that when I get a
schommer> forwarded tgt (krb5_fwd_tgt() ) and call krb5_rd_cred() it
schommer> allocates some memory in the asn.1 decoder and I'm not sure
schommer> why its not cleaned up (or where it should be cleaned up).

Thanks for noticing this.  By my examination of the code, it appears
that you are correct.  Ironically, this leak was introduced as part
of a patch to correct a double-free vulnerability.

decrypt_credencdata() calls decode_krb5_enc_cred_part(), which
allocates a krb5_cred_enc_part.  The contents of this
krb5_cred_enc_part are copied into a krb5_cred_enc_part passed from
krb5_rd_cred_basic().  krb5_rd_cred_basic() does free the contents of
its own krb5_cred_enc_part, but the one allocated by
decrypt_credencdata() is never freed.

Further confusing matters, it appears that krb5_free_cred_enc_part()
is misnamed and only frees the contents, not the pointer.

---Tom


More information about the Kerberos mailing list