[krbdev.mit.edu #8223] Uncommon memory leak of err_padata in krb5_init_creds_step()
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sun Jul 26 11:29:38 EDT 2015
The krb5_init_creds_context err_padata field is used internally to a
krb5_init_creds_step() operation. It is populated in
init_creds_step_reply() with a call to krb5int_fast_process_error().
It is released or transferred in some error-handling paths, and is
released when the context is destroyed. If it survives at the end of
a call and another KRB-ERROR message is processed in a subsequent
step operation, it is leaked. This can happen in two cases:
* When a realm referral is received, ctx->err_reply is freed but ctx-
>err_padata is not. Realm referral errors do not generally come with
padata, but if they do, and a KRB-ERROR is received on the next query
in the new realm, the padata will be leaked.
* If the error padata is used for k5_preauth_tryagain(), ctx-
>err_padata is not freed during the step call. If
k5_preauth_tryagain() succeeds in producing another request and
another KRB-ERROR is received, the padata will be leaked.
More information about the krb5-bugs
mailing list