[krbdev.mit.edu #5845] krb5_sendauth can double free creds.server
The RT System itself via RT
rt-comment at krbdev.mit.edu
Mon Nov 19 17:26:17 EST 2007
>From krb5-bugs-incoming-bounces at PCH.MIT.EDU Mon Nov 19 17:26:09 2007
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
id lAJMQ9HW016619; Mon, 19 Nov 2007 17:26:09 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id lAJMQ4D9024358;
Mon, 19 Nov 2007 17:26:04 -0500
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id lAJECo3d022216
for <krb5-bugs-incoming at PCH.mit.edu>; Mon, 19 Nov 2007 09:12:50 -0500
Received: from mit.edu (M24-004-BARRACUDA-2.MIT.EDU [18.7.7.112])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
lAJEChpb015001
for <krb5-bugs at mit.edu>; Mon, 19 Nov 2007 09:12:44 -0500 (EST)
Received: from mailhub-3.iastate.edu (mailhub-3.iastate.edu [129.186.140.13])
by mit.edu (Spam Firewall) with ESMTP id 4B194DF3D38
for <krb5-bugs at mit.edu>; Mon, 19 Nov 2007 09:12:43 -0500 (EST)
Received: from devirus-10.iastate.edu (devirus-10.iastate.edu [129.186.1.47])
by mailhub-3.iastate.edu (8.12.11.20060614/8.12.10) with SMTP id
lAJECgi8017576
for <krb5-bugs at mit.edu>; Mon, 19 Nov 2007 08:12:42 -0600
Received: from (despam-11.iastate.edu [129.186.140.81]) by
devirus-10.iastate.edu with smtp
id 6309_7ac58c02_96a8_11dc_9df3_00137253420a;
Mon, 19 Nov 2007 08:05:26 -0600
Received: from malison.ait.iastate.edu (malison.ait.iastate.edu
[129.186.145.229])
by despam-11.iastate.edu (8.12.11.20060614/8.12.10) with ESMTP id
lAJECgFI003177
for <krb5-bugs at mit.edu>; Mon, 19 Nov 2007 08:12:42 -0600
Received: (from john at localhost)
by malison.ait.iastate.edu (8.8.8/8.8.5) id IAA02137;
Mon, 19 Nov 2007 08:12:42 -0600 (CST)
Date: Mon, 19 Nov 2007 08:12:42 -0600 (CST)
Message-Id: <200711191412.IAA02137 at malison.ait.iastate.edu>
To: krb5-bugs at mit.edu
Subject: krb5_sendauth double free error
From: john at iastate.edu
X-send-pr-version: 3.99
X-PMX-Version: 5.3.1.294258, Antispam-Engine: 2.5.1.298604,
Antispam-Data: 2007.11.19.54825
X-ISUMailhub-test: Gauge=IIIIIII, Probability=7%, Report='NO_REAL_NAME 0,
__HAS_MSGID 0, __MIME_TEXT_ONLY 0, __SANE_MSGID 0,
__STOCK_PHRASE_24 0'
X-Spam-Score: 1.15
X-Spam-Level: * (1.15)
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Mon, 19 Nov 2007 17:26:02 -0500
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: john at iastate.edu
Sender: krb5-bugs-incoming-bounces at PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces at PCH.MIT.EDU
>Submitter-Id: net
>Originator: John Hascall
>Organization: Iosa State University
>Confidential: no
>Synopsis: krb5_sendauth can double free creds.server
>Severity: critical
>Priority: high
>Category: krb5-libs
>Class: sw-bug
>Release: 1.6.3
>Environment:
System: OSF1 malison.ait.iastate.edu V4.0 1229 alpha
Architecture: axp
Machine: alpha
>Description:
Starting at line 102 of src/lib/krb5/krb/sendauth.c (V1.6.3)
we see:
if ((retval = krb5_copy_principal(context, server,
&creds.server)))
goto error_return;
if (client)
retval = krb5_copy_principal(context, client,
&creds.client);
else
retval = krb5_cc_get_principal(context, use_ccache,
&creds.client);
if (retval) {
krb5_free_principal(context, creds.server);
goto error_return;
...
error_return:
krb5_free_cred_contents(context, &creds);
Does this not free creds.server twice
if krb5_copy_principal or (as in my case) krb5_cc_get_principal fails?
>How-To-Repeat:
call krb5_sendauth with client==NULL, in_creds==NULL, ccache==NULL
and no ccache file.
>Fix:
Delete line 112:
krb5_free_principal(context, creds.server);
More information about the krb5-bugs
mailing list