[krbdev.mit.edu #1206] padata not freed from reply structure

The RT System itself via RT rt-comment at krbdev.mit.edu
Fri Oct 4 09:24:35 EDT 2002 

>From kwc at dh171.citi.umich.edu  Fri Oct  4 09:24:32 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3) with ESMTP
	id JAA13557; Fri, 4 Oct 2002 09:24:32 -0400 (EDT)
Received: from dh171.citi.umich.edu (dh171.citi.umich.edu [141.211.133.171])
	by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA14956
	for <krb5-bugs at mit.edu>; Fri, 4 Oct 2002 09:24:32 -0400 (EDT)
Received: (from kwc at localhost)
	by dh171.citi.umich.edu (8.11.6/8.11.6) id g94DRuN32591;
	Fri, 4 Oct 2002 09:27:56 -0400
Date: Fri, 4 Oct 2002 09:27:56 -0400
Message-Id: <200210041327.g94DRuN32591 at dh171.citi.umich.edu>
To: krb5-bugs at mit.edu
Subject: padata memory leak in AS_REQ path
From: kwc at citi.umich.edu
Reply-To: kwc at citi.umich.edu
X-send-pr-version: 3.99


>Submitter-Id:	net
>Originator:	Kevin Coffman
>Organization:
Kevin Coffman           Center for Information Technology Integration
----------------------  University of Michigan
Phone: (734) 763-0592   3106 Argus
mailto:kwc at umich.edu    535 West William Street
----------------------  Ann Arbor, MI, 48103-4943
http://www.citi.umich.edu/u/kwc/
>Confidential:	no
>Synopsis:	padata not freed from reply structure
>Severity:	serious
>Priority:	medium
>Category:	krb5-kdc
>Class:		sw-bug
>Release:	krb5-1.2.5
>Environment:
	
	All systems and architectures are affected.

>Description:
	
	When preauthentication data is returned as part of the
	AS_REQ, the padata is never released from the reply
	structure after the return packet is constructed.

	Also, normal processing already frees the encrypting_key
	contents, so it should be free conditionally in the errout:
	section.
>How-To-Repeat:
	
	AS_REQs for users with only an AFS key in the database have
	the pw-salt padata returned in the response.  Also, we have
	code to use the SPECIAL salt type for users whose principal
	name (uniqname) has been changed.  This also results in
	padata being returned in the response.

>Fix:
	

	Apply the following patch (this patch is against the 1.2.6 release):

--- src/kdc/do_as_req.c.orig    Fri Oct  4 09:00:10 2002
+++ src/kdc/do_as_req.c Fri Oct  4 09:04:35 2002
@@ -448,8 +448,10 @@
        errcode = prepare_error_as(request, errcode, &e_data, response);
     }
 
-    krb5_free_keyblock_contents(kdc_context, &encrypting_key);
-
+    if (encrypting_key.contents)
+           krb5_free_keyblock_contents(kdc_context, &encrypting_key);
+    if (reply.padata)
+           krb5_free_pa_data(kdc_context, reply.padata);
     if (cname)
            free(cname);
     if (sname)

More information about the krb5-bugs mailing list