Patch 8/9: KerbSubmitTicket() should check malloc() return for NULL

Alexandr Nedvedicky alexandr.nedvedicky at
Mon Feb 19 19:47:10 EST 2018


I'm upgrading kerberos bundled with Solaris to krb5-1.16. Solaris currently
ships krb5-1.15.1. I've noticed there are some memory leaks, while running test
suite, which comes with krb-1.16 (e.g. running 'make check').  I don't think
those memory leaks are critical, though as kerberos newbie I can't be sure, so
I think I'm better to share my findings. All memory leaks were found using
'libumem', which can be found on Solaris (or its OSS sibbling illumos).
All patches are against krb5-1.16 release.

I have not seen such NULL-pointer dereference panic. I've just spot
this while I was browsing through code. Same goes to potential
memory leak on 'keyblock->contents == NULL'.


diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index c741a5099..c26975c65 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -765,9 +765,16 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG  PackageId,
      * that an enctype other than NULL be used. */
     if (keyblock == NULL) {
         keyblock = (krb5_keyblock *)malloc(sizeof(krb5_keyblock));
+	if (keyblock == NULL) {
+		return FALSE;
+	}
         keyblock->enctype = ENCTYPE_ARCFOUR_HMAC;
         keyblock->length = 16;
         keyblock->contents = (krb5_octet *)malloc(16);
+	if (keyblock->contents == NULL) {
+		free(keyblock);
+		return FALSE;
+	}
         keyblock->contents[0] = 0xde;
         keyblock->contents[1] = 0xad;
         keyblock->contents[2] = 0xbe;

More information about the krbdev mailing list