Reachable memory left behind by simple kadmin client?

Russ Allbery rra at stanford.edu
Thu Dec 22 16:55:06 EST 2011


Greg Hudson <ghudson at MIT.EDU> writes:

> Most of the records suggest a krb5 context which wasn't freed and is
> still reachable from somewhere.  I don't really know where this would
> be.

Yeah, that's what it looked like to me too, but I can't figure out where
it is.  It's possible that I have some other, subtle bug in my code, but I
can't figure it out if so.

> As far as I can tell, neither libkadm5clnt, libgssrpc, nor libgssapi
> keep a static krb5 context around (Heimdal does, in thread-specific
> storage, but we don't currently do that).  All of the stack traces stop
> at krb5_init_context for some reason, making it hard to see where the
> still-reachable context was allocated.

Yes.  This is probably because I'm using the system MIT Kerberos libraries
with the debugging packages, so they were built with optimization.  If I
rebuilt them without optimization and used LD_LIBRARY_PATH, I'd probably
get better traces.  I may try to do that if I get a chance later, although
I've already spent a lot of time chasing memory pseudo-leaks (in all sorts
of different code) and am getting kind of bored of it.  :)

If anyone is interested in taking a look, clone:

    git://git.eyrie.org/kerberos/pam-krb5.git

follow the test suite setup instructions in README and
tests/config/README, and run:

    ./autogen
    ./configure
    make CFLAGS=-g check-valgrind

and then look in tmp-valgrind/*.  This is still a work in progress and
more things will be moving around; for example, libkadm5clnt is currently
hard-coded in Makefile.am and will be replaced by an Autoconf probe.

> Records 2 and 3 are an artifact of how com_err works.

> Records 6-8 are an artifact of an API used to communicate the ccache
> name between libkadm5 and gss-krb5, which uses thread-specific storage.

> Records 12 and 21 are an artifact of the gssrpc library allocating
> private storage blocks.  I think this memory could be lost if the gssrpc
> library were loaded and unloaded repeatedly, so it's not a great
> practice, but the library is based on very old code.

Thanks for this information!  I'll try to update the valgrind suppressions
for these, at least.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list