[krbdev.mit.edu #3209] Memory leak parsing ticket_lifetime from krb5.conf.

The RT System itself via RT rt-comment at krbdev.mit.edu
Wed Oct 19 16:43:54 EDT 2005 

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Wed Oct 19 16:43:48 2005
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
	id QAA24913; Wed, 19 Oct 2005 16:43:48 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9JKhApx011908
	for <krb5-send-pr at krbdev.mit.edu>; Wed, 19 Oct 2005 16:43:10 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9JEsFpx012174
	for <krb5-bugs-incoming at PCH.mit.edu>; Wed, 19 Oct 2005 10:54:15 -0400
Received: from mail.avidhosting.com (mail.avidhosting.com [64.4.195.71])
	j9JEsGqs017762
	for <krb5-bugs at mit.edu>; Wed, 19 Oct 2005 10:54:16 -0400 (EDT)
Received: (qmail 7130 invoked by uid 399); 19 Oct 2005 14:54:15 -0000
Received: from unknown (HELO endian.dyndns.org) (67.184.105.142)
  by mail.avidhosting.com with SMTP; 19 Oct 2005 14:54:15 -0000
Received: by endian.dyndns.org (Postfix, from userid 1000)
	id 0069117A969; Wed, 19 Oct 2005 09:54:12 -0500 (CDT)
To: krb5-bugs at mit.edu
From: Ed Plese <ed at edplese.com>
X-send-pr-version: 3.99
Message-Id: <20051019145412.0069117A969 at endian.dyndns.org>
Date: Wed, 19 Oct 2005 09:54:12 -0500 (CDT)
X-Spam-Score: -0.783
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 19 Oct 2005 16:43:09 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: Ed Plese <ed at edplese.com>
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	
>Organization:
>Confidential:	no
>Synopsis:	Memory leak parsing ticket_lifetime from krb5.conf.
>Severity:	non-critical
>Priority:	low
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.4.1
>Environment:
OS: Gentoo Linux
System: Linux morpheus 2.6.13-mm1 #1 SMP PREEMPT Wed Sep 7 06:40:46 CDT 2005 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz GenuineIntel GNU/Linux
Architecture: i686

>Description:
This particular problem was noticed while running Samba 3 configured as a
domain member of an Active Directory.  Over a few hours of working with
an Active Directory with a few thousand users, winbind would be
using over 1 GB of memory and would need to be restarted.

Running valgrind on winbind showed (among other things) the following
results after running "wbinfo -t" 1000 times.

==31865== 4004 bytes in 1001 blocks are definitely lost in loss record 36 of 44
==31865==    at 0x1B9042FC: malloc (in /usr/lib/valgrind/vgpreload_memcheck.so)
==31865==    by 0x1B9FF911: krb5_libdefault_string (get_in_tkt.c:716)
==31865==    by 0x1B9FFBC3: krb5_get_init_creds (get_in_tkt.c:841)
==31865==    by 0x1BA00E0C: krb5_get_init_creds_password (gic_pwd.c:124)
==31865==    by 0x1D13FF: kerberos_kinit_password (kerberos.c:91)
==31865==    by 0x1BAB95DE: __libc_start_main (in /lib/libc-2.3.4.so)
==31865==    by 0x2F090: (within /usr/sbin/winbindd)

The culprit of the leak seems to be krb5_get_init_creds in get_in_tkt.c.

Here is the code starting at line 839:

    if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) {
        tkt_life = options->tkt_life;
    } else if ((ret = krb5_libdefault_string(context, &client->realm,
                                             "ticket_lifetime", &tempstr))
               == 0) {
        if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) {
            free(tempstr);
            goto cleanup;
        }
    } else {
        /* this used to be hardcoded in kinit.c */
        tkt_life = 24*60*60;
    }

The problem is that on success, krb5_string_to_deltat returns 0 and therefore
tempstr is never freed.

This should be able to be fixed by a simple fix as shown below:

    if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) {
        tkt_life = options->tkt_life;
    } else if ((ret = krb5_libdefault_string(context, &client->realm,
                                             "ticket_lifetime", &tempstr))
               == 0) {
        if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) {
            free(tempstr);
            goto cleanup;
+       } else {
+           free(tempstr);
        }
    } else {
        /* this used to be hardcoded in kinit.c */
        tkt_life = 24*60*60;
    }

There also appears to be a problem with the retrieving of the renew_lifetime
configuration parameter in the code directly following the code shown above
(starting at line 856) since the code is very similar to the above code.

I am not familiar with the codebase so the above fix may not be correct and/or
may overlook something.  For this reason I haven't even tested this fix and
instead just went with workaround of removing the ticket_lifetime
configuration parameter from krb5.conf.
>How-To-Repeat:
I'm sure there are simpler ways, but in my environment I did the following:
1. Configure Samba 3 to be an Active Directory domain member server.
2. Run "wbinfo -t" 1000 times.  All it really takes is once, but running
   it 1000 makes it more noticeable.
>Fix:
The simple workaround to this problem is to remove the ticket_lifetime
configuration parameter from krb5.conf.  This avoids the code path that
causes the memory leak.

More information about the krb5-bugs mailing list