Patch 8/9: KerbSubmitTicket() should check malloc() return for NULL
Alexandr Nedvedicky
alexandr.nedvedicky at oracle.com
Mon Feb 19 19:47:10 EST 2018
Hello,
I'm upgrading kerberos bundled with Solaris to krb5-1.16. Solaris currently
ships krb5-1.15.1. I've noticed there are some memory leaks, while running test
suite, which comes with krb-1.16 (e.g. running 'make check'). I don't think
those memory leaks are critical, though as kerberos newbie I can't be sure, so
I think I'm better to share my findings. All memory leaks were found using
'libumem', which can be found on Solaris (or its OSS sibbling illumos).
All patches are against krb5-1.16 release.
I have not seen such NULL-pointer dereference panic. I've just spot
this while I was browsing through code. Same goes to potential
memory leak on 'keyblock->contents == NULL'.
regards
sasha
--------8<---------------8<---------------8<------------------8<--------
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index c741a5099..c26975c65 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -765,9 +765,16 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId,
* that an enctype other than NULL be used. */
if (keyblock == NULL) {
keyblock = (krb5_keyblock *)malloc(sizeof(krb5_keyblock));
+ if (keyblock == NULL) {
+ return FALSE;
+ }
keyblock->enctype = ENCTYPE_ARCFOUR_HMAC;
keyblock->length = 16;
keyblock->contents = (krb5_octet *)malloc(16);
+ if (keyblock->contents == NULL) {
+ free(keyblock);
+ return FALSE;
+ }
keyblock->contents[0] = 0xde;
keyblock->contents[1] = 0xad;
keyblock->contents[2] = 0xbe;
More information about the krbdev
mailing list