[krbdev.mit.edu #6863] memory leak on SPNEGO error path
Arlene Berry via RT
rt-comment at krbdev.mit.edu
Wed Feb 9 16:07:31 EST 2011
We ran into this awhile ago and I think the issue was that a failure on
a non-initial call to gss_init_sec_context or gss_accept_sec_context
results in the SPNEGO context being freed. The caller then calls
gss_delete_sec_context on the union context which calls down into SPNEGO
which calls gss_delete_sec_context on the NULL context which reports an
error. The error is passed up to the mechglue layer which returns it
and doesn't free the union context.
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c (revision 24618)
+++ src/lib/gssapi/spnego/spnego_mech.c (working copy)
@@ -2080,16 +2080,18 @@
/*
* If this is still an SPNEGO mech, release it locally.
*/
- if (*ctx != NULL &&
- (*ctx)->magic_num == SPNEGO_MAGIC_ID) {
- (void) gss_delete_sec_context(minor_status,
- &(*ctx)->ctx_handle,
- output_token);
- (void) release_spnego_ctx(ctx);
- } else {
- ret = gss_delete_sec_context(minor_status,
- context_handle,
- output_token);
+ if (*ctx != NULL)
+ {
+ if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) {
+ (void) gss_delete_sec_context(minor_status,
+ &(*ctx)->ctx_handle,
+ output_token);
+ (void) release_spnego_ctx(ctx);
+ } else {
+ ret = gss_delete_sec_context(minor_status,
+ context_handle,
+ output_token);
+ }
}
return (ret);
More information about the krb5-bugs
mailing list