rewrite gss_krb5_ccache_name

Jeffrey Altman jaltman at
Fri Nov 21 20:44:04 EST 2008

Stephen Ince wrote:
> I would like to rewrite or write a similiar function to gss_krb5_ccache_name 
> that does not do any strdups.
> I am using kfw-3-2-2-final on win32.  I see that gss_krb5_ccache_name is 
> defined in set_ccache.c but none of the functions that it uses are exported 
> or visible.
> gss_krb5_ccache_name is leaking the name of the cache per thread that is 
> created. Which my case is a lot of threads that get created.
> Basically write a "xgss_krb5_ccache_name" that set the default kerberos 
> cache but does not do a strdup.
> e.g.
> xgss_krb5_ccache_name(minor_status, name){
> :
>     if (!err)
>         kg_set_ccache_name (&err, name);
> :
> }
> I noticed that kg_set_ccache_name is not visable outside the lib. I can not 
> seem to find it.
> Any guidance would be appreciated.
> Steve 


For thread safety reasons the gss library uses thread local storage
(TLS) to store a number of values including ccache name and error
messages.  The TLS stored value must be a copy in order to prevent
corruption when the original source string is deallocated or altered.

It sounds like the processing model that you are using is similar to:

 1. accept incoming connection
 2. create thread to process the connection
 3. upon completion of the connection, terminate thread

which in turn is resulting in leakage of the TLS stored values.

If that is the case, the real bug here is that the gssapi32.dll
does not implement a DLL_THREAD_DETACH routine which would free
any allocated memory stored under the registered TLS keys.

Please confirm.

Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list