[krbdev.mit.edu #3924] the krb5_get_server_rcache routine frees already freed memory in error path
The RT System itself via RT
rt-comment at krbdev.mit.edu
Thu Jun 22 15:24:52 EDT 2006
>From krb5-bugs-incoming-bounces at PCH.mit.edu Thu Jun 22 15:24:48 2006
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id PAA14927; Thu, 22 Jun 2006 15:24:48 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5MJOIFw025275
for <krb5-send-pr at krbdev.mit.edu>; Thu, 22 Jun 2006 15:24:18 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5MFlGD9014360
for <krb5-bugs-incoming at PCH.mit.edu>; Thu, 22 Jun 2006 11:47:16 -0400
Received: from skamandros.sncag.com ([217.111.56.2])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
k5MFl5Vo015803
for <krb5-bugs at mit.edu>; Thu, 22 Jun 2006 11:47:11 -0400 (EDT)
Received: from skamandros.sncag.com (localhost [127.0.0.1])
by skamandros.sncag.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id
k5MFkxQQ006100
for <krb5-bugs at mit.edu>; Thu, 22 Jun 2006 17:46:59 +0200
Received: (from rw at localhost)
by skamandros.sncag.com (8.13.4/8.13.4/Submit) id k5MFkxks006097;
Thu, 22 Jun 2006 17:46:59 +0200
Date: Thu, 22 Jun 2006 17:46:59 +0200
From: Rainer Weikusat <rainer.weikusat at sncag.com>
Message-Id: <200606221546.k5MFkxks006097 at skamandros.sncag.com>
To: krb5-bugs at mit.edu
Subject: double-free in srv_rcache.c
X-send-pr-version: 3.99
X-Spam-Score: 0
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Thu, 22 Jun 2006 15:24:17 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu
>Submitter-Id: net
>Originator: Rainer Weikusat
>Organization:
SNC AG
>Confidential: no
>Synopsis: the krb5_get_server_rcache routine frees already freed memory in error path
>Severity: non-critical
>Category: krb5-libs
>Class: sw-bug
>Release: 1.4.3
>Environment:
System: Linux skamandros 2.6.16.18 #5 SMP Tue May 30 13:42:31 CEST 2006 i686 GNU/Linux
Architecture: i686
>Description:
The krb5_get_server_rcache routine in src/lib/krb5/krb has a local
variable named rcache which is freed before returning to the caller
if its value is not a null pointer. The krb5_rc_resolve_full routine
(in src/lib/krb5/rcache/rc_base.c) which is called by
krb5_get_server_rcache towards the end (l. 107) allocates memory for
a krb5 rcache descriptor structure and store the corresponding
address at the location its parameter id points to. When called from
krb5_get_server_rcache, this is the address of the rcache variable.
If the type cannot be resolved (eg because hasn't been registered),
the memory is freed but the already initialized pointer is not
cleared, which causes the calling routine to attempt to free it
for a second time.
>How-To-Repeat:
Use the KRB5RCACHETYPE variable to request using a replay cache
type unknown to the Kerberos library.
>Fix:
--- kerberos-srv-rcache-fix/src/lib/krb5/krb/srv_rcache.c 19 Mar 2006 14:42:00 -0000 1.1.1.1
+++ kerberos-srv-rcache-fix/src/lib/krb5/krb/srv_rcache.c 22 Jun 2006 15:26:59 -0000 1.1.1.1.12.1
@@ -115,17 +115,13 @@
retval = krb5_rc_recover_or_initialize(context, rcache, context->clockskew);
if (retval) {
krb5_rc_close(context, rcache);
- rcache = 0;
goto cleanup;
}
*rcptr = rcache;
- rcache = 0;
retval = 0;
cleanup:
- if (rcache)
- krb5_xfree(rcache);
if (cachename)
krb5_xfree(cachename);
return retval;
More information about the krb5-bugs
mailing list