[krbdev.mit.edu #6844] Memory leak in save_error_string_nocopy()

[Tim Pozdeev via RT]

krb5 version 1.8.3. It also applies to version 1.7.x.

There is a memory leak in save_error_string_nocopy() in disp_status.c.

Using umem and gcore leak detection under Solaris highlights the
following leak.

umem_alloc_16 leak: 84 buffers, 16 bytes each, 1344 bytes total
            ADDR          BUFADDR        TIMESTAMP           THREAD
                            CACHE          LASTLOG         CONTENTS
         592b7e0          5929750   1b4ec693e03bcb              172
                          226a028          221ac00                0
                 libumem.so.1`umem_cache_alloc_debug+0x12b
                 libumem.so.1`umem_cache_alloc+0xc8
                 libumem.so.1`umem_alloc+0xaf
                 libumem.so.1`malloc+0x2e
                 libgssapi_krb5.so.2`gss_krb5_save_error_string_nocopy
+0x2e
                 libgssapi_krb5.so.2`krb5_gss_save_error_string+0x2f
                 libgssapi_krb5.so.2`krb5_gss_save_error_info+0x2b
                 libgssapi_krb5.so.2`krb5_gss_validate_cred+0x6e
                 libgssapi_krb5.so.2`krb5_gss_init_sec_context+0x175
                 libgssapi_krb5.so.2`gss_init_sec_context+0x27c

The memory allocated on line 81 (in disp_status.c) never gets freed.

79:    p = k5_getspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE);
80:    if (!p) {
81:        p = malloc(sizeof(*p));   <<<--- here
82:        if (p == NULL) {
83:            ret = 1;


The fix is to free the memory in krb5_gss_delete_error_info():

--- disp_status.c       Tue Dec  8 11:04:48 2009
+++ disp_status.c-fixed Wed Dec 15 12:00:12 2010
@@ -148,6 +148,7 @@
 void krb5_gss_delete_error_info(void *p)
 {
     gsserrmap_destroy(p);
+    free(p);
 }
 
 /**/

Tim