Ticket 5442 - Memory Leak in gss_accept_sec_context and minor_status destruction
jaltman at secure-endpoints.com
Wed Jun 18 14:23:18 EDT 2008
I have updated ticket 5442 with a patch to gss_accept_sec_context() that
addresses two issues that were originally reported in 1.4.x but are
still present on the trunk.
(a) In the case where 'cred_handle' != 'verifier_cred_handle'
krb5_gss_accept_sec_context() leaks the 'cred_handle' in the success
case and the failure cases that result in returning from the function
prior to reaching the end of the function.
(b) The meaningful 'minor_status' return value is destroyed during the
The approach taken is to add a new 'exit:' label prior to the end of the
function through which all function returns after reaching the 'fail:'
label will goto. After 'exit:', the 'cred_handle' will be released and
if there is a krb5_context 'context' to be freed, the error info will be
saved and krb5_free_context() will be called.
In the success case, the krb5_context is saved in the gss context and we
now set 'context' to NULL to prevent it from being freed.
In order to preserve the minor_status return code, a 'tmp_minor_status'
variable is added that is used after the 'fail:' label in calls to
krb5_gss_delete_sec_context() and krb5_gss_release_cred().
 If 'verifier_cred_handle' is non-NULL, then 'cred_handle' is set to
the value of 'verifier_cred_handle'.
I would be happy to commit this patch once it has received the review of
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20080618/453e3b50/attachment.bin
More information about the krbdev