[krbdev.mit.edu #3962] krb5_get_server_rcache double free

Shawn Emery via RT rt-comment at krbdev.mit.edu
Thu Jun 29 22:46:56 EDT 2006


The fix for:
[krbdev.mit.edu #3924] the krb5_get_server_rcache routine frees

is not complete (listed here for convenience):

src/lib/krb5/krb/srv_rcache.c	22 Jun 2006 15:26:59 -0000	1.1.1.1.12.1
@@ -115,17 +115,13 @@
     retval = krb5_rc_recover_or_initialize(context, rcache, context->clockskew);
     if (retval) {
 	krb5_rc_close(context, rcache);
-	rcache = 0;
 	goto cleanup;
     }
 
     *rcptr = rcache;
-    rcache = 0;
     retval = 0;
 
 cleanup:
-    if (rcache)
-	krb5_xfree(rcache);
     if (cachename)
 	krb5_xfree(cachename);
     return retval;

---
When krb5_rc_recover_or_initialize() returns failure, rcache now leaks.

We know that krb5_rc_resolve_full() frees rcache after failure, we just 
need to set rcache to NULL so that we don't double free.  Suggested fix 
(diffs based on 1.5-alpha1):

src/lib/krb5/krb/srv_rcache.c:
@@ -103,12 +103,14 @@
 #endif

     cachename[p++] = '\0';

     retval = krb5_rc_resolve_full(context, &rcache, cachename);
-    if (retval)
+    if (retval) {
+       rcache = 0;
        goto cleanup;
+    }

     /*
      * First try to recover the replay cache; if that doesn't work,
      * initialize it.
      */

Shawn.
--




More information about the krb5-bugs mailing list