[krbdev.mit.edu #6787] S4U memory leak

Arlene Berry via RT rt-comment at krbdev.mit.edu
Wed Sep 29 14:19:30 EDT 2010 

I see the same issue in the forwarded credentials case also.  Here is
our patch using a flag as applied to your trunk.  Our version still has
code for gss_add_cred in lib/gssapi/krb5 which I touched also but it
appears to be dead code.  This works for us but I am not sure whether
you want to solve it this way since it appears to be a design issue
rather than simply incorrect code.


Index: src/lib/gssapi/krb5/rel_cred.c
===================================================================
--- src/lib/gssapi/krb5/rel_cred.c	(revision 24369)
+++ src/lib/gssapi/krb5/rel_cred.c	(working copy)
@@ -56,7 +56,16 @@
     /* ignore error destroying mutex */
 
     if (cred->ccache)
-        code1 = krb5_cc_close(context, cred->ccache);
+    {
+        if (cred->destroy_ccache)
+        {
+            code1 = krb5_cc_destroy(context, cred->ccache);
+        }
+        else
+        {
+            code1 = krb5_cc_close(context, cred->ccache);
+        }
+    }
     else
         code1 = 0;
 
Index: src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- src/lib/gssapi/krb5/gssapiP_krb5.h	(revision 24369)
+++ src/lib/gssapi/krb5/gssapiP_krb5.h	(working copy)
@@ -173,6 +173,7 @@
     unsigned int proxy_cred : 1;
     unsigned int default_identity : 1;
     unsigned int iakerb_mech : 1;
+    unsigned int destroy_ccache : 1;
 
     /* keytab (accept) data */
     krb5_keytab keytab;
Index: src/lib/gssapi/krb5/s4u_gss_glue.c
===================================================================
--- src/lib/gssapi/krb5/s4u_gss_glue.c	(revision 24369)
+++ src/lib/gssapi/krb5/s4u_gss_glue.c	(working copy)
@@ -227,6 +227,8 @@
     if (code != 0)
         goto cleanup;
 
+    cred->destroy_ccache = 1;
+
     code = krb5_cc_initialize(context, cred->ccache,
                               cred->proxy_cred ?
impersonator_cred->name->princ
 :
                               subject_creds->client);
Index: src/lib/gssapi/krb5/acquire_cred.c
===================================================================
--- src/lib/gssapi/krb5/acquire_cred.c	(revision 24369)
+++ src/lib/gssapi/krb5/acquire_cred.c	(working copy)
@@ -548,6 +548,7 @@
 #ifndef LEAN_CLIENT
     cred->keytab = NULL;
 #endif /* LEAN_CLIENT */
+    cred->destroy_ccache = 0;
     cred->ccache = NULL;
 
     code = k5_mutex_init(&cred->lock);
Index: src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- src/lib/gssapi/krb5/accept_sec_context.c	(revision 24369)
+++ src/lib/gssapi/krb5/accept_sec_context.c	(working copy)
@@ -252,6 +252,7 @@
         /* cred->name already set */
         cred->keytab = NULL; /* no keytab associated with this... */
         cred->tgt_expire = creds[0]->times.endtime; /* store the end
time */
+        cred->destroy_ccache = 1;
         cred->ccache = ccache; /* the ccache containing the credential
*/
         ccache = NULL; /* cred takes ownership so don't destroy */
     }

More information about the krb5-bugs mailing list