[krbdev.mit.edu #3886] get_credentials routine (init_sec_context.c) leaks memory if a ticket has expired

The RT System itself via RT rt-comment at krbdev.mit.edu
Thu Jun 15 14:18:54 EDT 2006


>From krb5-bugs-incoming-bounces at PCH.mit.edu  Thu Jun 15 14:18:48 2006
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
	id OAA07608; Thu, 15 Jun 2006 14:18:48 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5FII9hA019871
	for <krb5-send-pr at krbdev.mit.edu>; Thu, 15 Jun 2006 14:18:09 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5FG7dTi026245
	for <krb5-bugs-incoming at PCH.mit.edu>; Thu, 15 Jun 2006 12:07:39 -0400
Received: from skamandros.sncag.com ([217.111.56.2])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	k5FG7aX1010219
	for <krb5-bugs at mit.edu>; Thu, 15 Jun 2006 12:07:39 -0400 (EDT)
Received: from skamandros.sncag.com (localhost [127.0.0.1])
	by skamandros.sncag.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id
	k5FG7ZCj000491
	for <krb5-bugs at mit.edu>; Thu, 15 Jun 2006 18:07:35 +0200
Received: (from rw at localhost)
	by skamandros.sncag.com (8.13.4/8.13.4/Submit) id k5FG7ZDs000488;
	Thu, 15 Jun 2006 18:07:35 +0200
Date: Thu, 15 Jun 2006 18:07:35 +0200
From: Rainer Weikusat <rainer.weikusat at sncag.com>
Message-Id: <200606151607.k5FG7ZDs000488 at skamandros.sncag.com>
To: krb5-bugs at mit.edu
Subject: Memory leak in get_credentials
X-send-pr-version: 3.99
X-Spam-Score: 0
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Thu, 15 Jun 2006 14:18:07 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: rainer.weikusat at sncag.com
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	Rainer Weikusat
>Organization:
	SNC AG
>Confidential:	no
>Synopsis:	get_credentials routine (init_sec_context.c) leaks memory if a ticket has expired
>Severity:	serious
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.4.3
>Environment:
System: Linux skamandros 2.6.16.18 #5 SMP Tue May 30 13:42:31 CEST 2006 i686 GNU/Linux
Architecture: i686

>Description:
	The get_credentials routine in src/lib/gssapi/krb5/init_sec_context.c contains
	the following code:

    code = krb5_get_credentials(context, 0, cred->ccache,
				&in_creds, out_creds);
    if (code)
	goto cleanup;

    /*
     * Enforce a stricter limit (without timeskew forgiveness at the
     * boundaries) because accept_sec_context code is also similarly
     * non-forgiving.
     */
    if (!krb5_gss_dbg_client_expcreds && *out_creds != NULL &&
	(*out_creds)->times.endtime < now) {
	code = KRB5KRB_AP_ERR_TKT_EXPIRED;
	goto cleanup;
    }
    
cleanup:
    if (in_creds.client)
	    krb5_free_principal(context, in_creds.client);
    if (in_creds.server)
	    krb5_free_principal(context, in_creds.server);
    return code;
}

	krb5_get_credentials returns a malloced Kerberos credential via the
	output parameter out_creds. This credential is not freed if the calling
	routine returns a KRB5KRB_AP_ERR_TKT_EXPIRED error because of the
	time comparison after the comment and the routine that calls get_credentials
	(new_connection, same file) does not free it either, because of the
	returned error (and the goto is 'fairly redundant').
>How-To-Repeat:
	Call gss_init_sec_context with a credentials handle referring to an
	expired Kerberos ticket.
>Fix:
--- kerberos-gc-leak/src/lib/gssapi/krb5/init_sec_context.c     19 Mar 2006 14:41:59 -0000      1.1.1.1
+++ kerberos-gc-leak/src/lib/gssapi/krb5/init_sec_context.c     15 Jun 2006 15:22:49 -0000      1.1.1.1.6.2
@@ -126,6 +126,9 @@
     if (!krb5_gss_dbg_client_expcreds && *out_creds != NULL &&
        (*out_creds)->times.endtime < now) {
        code = KRB5KRB_AP_ERR_TKT_EXPIRED;
+
+       krb5_free_creds(context, *out_creds);
+       *out_creds = NULL;
        goto cleanup;
     }




More information about the krb5-bugs mailing list