[krbdev.mit.edu #1731] rd_cred double frees memory
Joseph Galbraith via RT
rt-comment at krbdev.mit.edu
Mon Aug 18 07:53:40 EDT 2003
Return-Path: <krbdev-bounces at MIT.EDU>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP; Fri, 15 Aug
2003 21:17:41 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <krbdev-bounces at MIT.EDU>
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by suchdamage.org (Postfix) with ESMTP id 4FB7013203
for <hartmans at suchdamage.org>; Fri, 15 Aug 2003 21:17:41 -0400 (EDT)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
h7G1Gows026069;
Fri, 15 Aug 2003 21:16:50 -0400 (EDT)
Received: from pch.mit.edu ([127.0.0.1])
by pch.mit.edu (8.12.8p1/8.12.8) with ESMTP id h7G1Frk3015539;
Fri, 15 Aug 2003 21:15:54 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p1/8.12.8) with ESMTP id h7FLSik0014738
for <krbdev at PCH.mit.edu>; Fri, 15 Aug 2003 17:28:44 -0400 (EDT)
Received: from vandyke.com (mail.vandyke.com [204.134.9.1])
h7FLShYV011591
for <krbdev at mit.edu>; Fri, 15 Aug 2003 17:28:43 -0400 (EDT)
Received: from [127.0.0.1] (HELO vandyke.com)
by vandyke.com (CommuniGate Pro SMTP 3.4.7)
with ESMTP id 1814013 for krbdev at mit.edu; Fri, 15 Aug 2003 15:28:42 -0600
Message-ID: <3F3D508A.4000603 at vandyke.com>
Date: Fri, 15 Aug 2003 15:28:42 -0600
From: Joseph Galbraith <galb at vandyke.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.4) Gecko/20030624
X-Accept-Language: en-us, en, ja
To: krbdev at mit.edu
X-Mailman-Approved-At: Fri, 15 Aug 2003 21:15:52 -0400
Subject: Bug in rd_cred.c?
X-BeenThere: krbdev at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: Kerberos Developers Mailing List <krbdev.mit.edu>
List-Help: <mailto:krbdev-request at mit.edu?subject=help>
List-Post: <mailto:krbdev at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
<mailto:krbdev-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/krbdev>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
<mailto:krbdev-request at mit.edu?subject=unsubscribe>
Sender: krbdev-bounces at MIT.EDU
Errors-To: krbdev-bounces at MIT.EDU
X-Spam-Status: No, hits=-0.1 required=5.0 tests=SUBJ_ENDS_IN_Q_MARK
version=2.20
X-Spam-Level:
MIME-Version: 1.0
In decrypt_credencdata, there is the following code:
/* now decode the decrypted stuff */
if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
goto cleanup_encpart;
*pcredenc = *ppart;
retval = 0;
cleanup_encpart:
memset(ppart, 0, sizeof(*ppart));
krb5_xfree(ppart);
However, it appears that decode_krb5_enc_cred_part,
cleans up and deallocates ppart if it fails, resulting
in use freeing it a second time when we do krb5_xfree().
This latter causes a crash in malloc in the server
we're writting.
Now, this is the first time I've ever looked at the
krb5 code, so I could be mistaken in my analysis.
When I change goto cleanup_encpart to goto cleanup,
however, my server no longer crashes, and I get
a nice "ASN.1 identifier doesn't match expected value"
error.
- Joseph
_______________________________________________
krbdev mailing list krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
More information about the krb5-bugs
mailing list