[krbdev.mit.edu #3886] get_credentials routine (init_sec_context.c) leaks memory if a ticket has expired
The RT System itself via RT
rt-comment at krbdev.mit.edu
Thu Jun 15 14:18:54 EDT 2006
>From krb5-bugs-incoming-bounces at PCH.mit.edu Thu Jun 15 14:18:48 2006
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id OAA07608; Thu, 15 Jun 2006 14:18:48 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5FII9hA019871
for <krb5-send-pr at krbdev.mit.edu>; Thu, 15 Jun 2006 14:18:09 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5FG7dTi026245
for <krb5-bugs-incoming at PCH.mit.edu>; Thu, 15 Jun 2006 12:07:39 -0400
Received: from skamandros.sncag.com ([217.111.56.2])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
k5FG7aX1010219
for <krb5-bugs at mit.edu>; Thu, 15 Jun 2006 12:07:39 -0400 (EDT)
Received: from skamandros.sncag.com (localhost [127.0.0.1])
by skamandros.sncag.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id
k5FG7ZCj000491
for <krb5-bugs at mit.edu>; Thu, 15 Jun 2006 18:07:35 +0200
Received: (from rw at localhost)
by skamandros.sncag.com (8.13.4/8.13.4/Submit) id k5FG7ZDs000488;
Thu, 15 Jun 2006 18:07:35 +0200
Date: Thu, 15 Jun 2006 18:07:35 +0200
From: Rainer Weikusat <rainer.weikusat at sncag.com>
Message-Id: <200606151607.k5FG7ZDs000488 at skamandros.sncag.com>
To: krb5-bugs at mit.edu
Subject: Memory leak in get_credentials
X-send-pr-version: 3.99
X-Spam-Score: 0
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Thu, 15 Jun 2006 14:18:07 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: rainer.weikusat at sncag.com
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu
>Submitter-Id: net
>Originator: Rainer Weikusat
>Organization:
SNC AG
>Confidential: no
>Synopsis: get_credentials routine (init_sec_context.c) leaks memory if a ticket has expired
>Severity: serious
>Category: krb5-libs
>Class: sw-bug
>Release: 1.4.3
>Environment:
System: Linux skamandros 2.6.16.18 #5 SMP Tue May 30 13:42:31 CEST 2006 i686 GNU/Linux
Architecture: i686
>Description:
The get_credentials routine in src/lib/gssapi/krb5/init_sec_context.c contains
the following code:
code = krb5_get_credentials(context, 0, cred->ccache,
&in_creds, out_creds);
if (code)
goto cleanup;
/*
* Enforce a stricter limit (without timeskew forgiveness at the
* boundaries) because accept_sec_context code is also similarly
* non-forgiving.
*/
if (!krb5_gss_dbg_client_expcreds && *out_creds != NULL &&
(*out_creds)->times.endtime < now) {
code = KRB5KRB_AP_ERR_TKT_EXPIRED;
goto cleanup;
}
cleanup:
if (in_creds.client)
krb5_free_principal(context, in_creds.client);
if (in_creds.server)
krb5_free_principal(context, in_creds.server);
return code;
}
krb5_get_credentials returns a malloced Kerberos credential via the
output parameter out_creds. This credential is not freed if the calling
routine returns a KRB5KRB_AP_ERR_TKT_EXPIRED error because of the
time comparison after the comment and the routine that calls get_credentials
(new_connection, same file) does not free it either, because of the
returned error (and the goto is 'fairly redundant').
>How-To-Repeat:
Call gss_init_sec_context with a credentials handle referring to an
expired Kerberos ticket.
>Fix:
--- kerberos-gc-leak/src/lib/gssapi/krb5/init_sec_context.c 19 Mar 2006 14:41:59 -0000 1.1.1.1
+++ kerberos-gc-leak/src/lib/gssapi/krb5/init_sec_context.c 15 Jun 2006 15:22:49 -0000 1.1.1.1.6.2
@@ -126,6 +126,9 @@
if (!krb5_gss_dbg_client_expcreds && *out_creds != NULL &&
(*out_creds)->times.endtime < now) {
code = KRB5KRB_AP_ERR_TKT_EXPIRED;
+
+ krb5_free_creds(context, *out_creds);
+ *out_creds = NULL;
goto cleanup;
}
More information about the krb5-bugs
mailing list