RT RT/krbdev.mit.edu: Ticket #1656 gss_init_sec_context() leaks credentials on error Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
1656
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-libs
Tags
Version_reported
  • 1.3
Version_Fixed
  • 1.3.1
Target_Version
  • 1.3.1
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
  • 1601: (Nobody) [<Kent_Wu@trendmicro.com>] RE: memory leak in some Kerberos APIs? [resolved]
Referred to by:
 
 Dates  
Created: Wed Jul 9 16:41:49 2003
Starts: Not set
Started: Thu Jul 10 15:06:09 2003
Last Contact: Thu Jul 10 19:08:16 2003
Due: Not set
Updated: Wed Dec 16 18:02:41 2015 by tlyu
 

 People  
Owner
 tlyu
Requestors
 Kent_Wu@trendmicro.com
Cc
 
AdminCc
 
 

 More about Kent_Wu@trendmicro.com  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Wed Jul  9 16:41:49 2003  Kent_Wu@trendmicro.com - Ticket created    
     
From: Kent_Wu@trendmicro.com
Subject: #1601
Date: Wed, 9 Jul 2003 13:41:15 -0700
To: <rt@krbdev.mit.edu>

 

     
Not sure what you meant but I'm following up with #1601.

Kent

-----Original Message-----
From: rt@krbdev.mit.edu [mailto:rt@krbdev.mit.edu]
Sent: Wednesday, July 09, 2003 1:39 PM
To: Kent Wu (RD-US)
Subject: No ticket id specified


comment aliases require a TicketId to work on

Download (untitled) 281b
     
Hi Tom,

	I just tried the new release of 1.3 and it fixed all the leaking problems I've ever
reported. Good, job well-done and it did give me a confidence boost to integrate this
into our product. However I got a new chanllenge for you as well once I tested
further.

	My program is using gss_init_sec_context() to do the kerberos authentication, so far
by using 1.3, if everything goes well, no problem at all. However if something went
wrong (for example, I didn't get TGT beforehand) then the first call to
gss_init_sec_context() would fail, after that even though I've freed all the
resources then it would still leak some memories. I think this problem is with regard
to the graceful return from failure situation, there might be some other similar
leaks since I have no way to try all possible failing scenarios. Below is the
detailed report from SUN Workshop.

	Let me know if you guys will address this one soon.

Thx.

Kent

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Actual leaks report    (actual leaks:         5  total size:      49 bytes)
 Total  Num of  Leaked      Allocation call stack
 Size   Blocks  Block
                Address
======  ====== ==========  =======================================
    20       1    0x2ebc0   krb5_fcc_resolve<-krb5_cc_resolve<-krb5_cc_default
<-krb5int_cc_default<-acquire_init_cred<-krb5_gss_acquire_cred<-kg_get_defcred
<-krb5_gss_init_sec_context
    17       1    0x2ecf8   krb5_fcc_resolve<-krb5_cc_resolve<-krb5_cc_default
<-krb5int_cc_default<-acquire_init_cred<-krb5_gss_acquire_cred<-kg_get_defcred
<-krb5_gss_init_sec_context
    12       1    0x2ce10   krb5_fcc_resolve<-krb5_cc_resolve<-krb5_cc_default
<-krb5int_cc_default<-acquire_init_cred<-krb5_gss_acquire_cred<-kg_get_defcred
<-krb5_gss_init_sec_context

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX



-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment@krbdev.mit.edu]
Sent: Tuesday, July 08, 2003 1:29 PM
To: Kent Wu (RD-US)
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #1601] RE: [<Kent_Wu@trendmicro.com>] RE:
memory leak in some Kerberos APIs?


>>>>> "Kent" == Kent Wu@trendmicro com via RT <rt-comment@krbdev.mit.edu> writes:

Kent> 	I found my program wasn't complete in authentication so that I
Kent> 	enhanced it to be complete in terms of kerberos
Kent> 	authentication, after that I used SUN LDAP API to do some
Kent> 	search. By doing this I also found some new leaks, not sure if
Kent> 	you have addressed these in the new Beta or not, pls let me
Kent> 	know so that I can give the new Beta a try. I'm still using
Kent> 	Beta 3 now.

The current beta is krb5-1.3-beta5.

Kent> OLD LEAKS: For the first one you mentioned that might be a
Kent> system bug, is this for sure now? I assume 2rd has been taken
Kent> care of, not sure if you've really addressed 3rd or not since
Kent> last time you said it's difficult to take on.

Kent>     32       2      -       get_addr<-getaddrinfo
Kent>     24       1    0x30c58   make_gss_checksum<-make_ap_req_v1<-
Kent> krb5_gss_init_sec_context<-gss_init_sec_context<-main
Kent>      8       1    0x2f708   get_profile_etype_list<-krb5_get_tgs_ktypes<-
Kent> krb5_gss_init_sec_context<-gss_init_sec_context<-main

I'm fairly certain that the getaddrinfo leak is an OS bug, as I'm not
seeing it on my Solaris 8 machine.  The other two leaks have already
been addressed in tickets #1602 and #1604.

Kent> NEW LEAKS: Pls let me know if you have addressed this in the new
Kent> Beta. The last one might be from LDAP SDK.

Kent>     16       1    0x2c698   krb5_generate_subkey<-krb5_mk_req_extended<-
Kent> make_ap_req_v1<-krb5_gss_init_sec_context<-gss_init_sec_context<-main
Kent>     16       1    0x2c710   krb5_copy_keyblock<-krb5_mk_req_extended<-
Kent> make_ap_req_v1<-krb5_gss_init_sec_context<-gss_init_sec_context<-main
Kent>      8       1    0x2f788   krb5_copy_keyblock<-krb5_mk_req_extended<-
Kent> make_ap_req_v1<-krb5_gss_init_sec_context<-gss_init_sec_context<-main
Kent>      8       1    0x2f7e8   krb5_c_make_random_key<-krb5_generate_subkey<-
Kent> krb5_mk_req_extended<-make_ap_req_v1<-krb5_gss_init_sec_context<-
Kent> gss_init_sec_context<-main
Kent>      2       2      -       ber_get_stringa<-ber_scanf

The mk_req_extended leaks were dealt with in bug #1605.  The last one
does look like it might be from code that is not ours, as the function
names don't exist in our code.

---Tom


Download new memory leak in gss_init_sec_context()_.txt 4.4k
      Thu Jul 10 15:04:30 2003  tlyu - Correspondence added    
     
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #1656]
From: Tom Yu <tlyu@mit.edu>
Date: Thu, 10 Jul 2003 15:04:27 -0400
RT-Send-Cc: 

>>>>> "Kent" == Kent Wu@trendmicro com via RT <rt-comment@krbdev.mit.edu> writes:

Kent> Not sure what you meant but I'm following up with #1601.

Kent> Kent

Kent> -----Original Message-----
Kent> From: rt@krbdev.mit.edu [mailto:rt@krbdev.mit.edu]
Kent> Sent: Wednesday, July 09, 2003 1:39 PM
Kent> To: Kent Wu (RD-US)
Kent> Subject: No ticket id specified


Kent> comment aliases require a TicketId to work on

This means that you sent to rt-comment@krbdev.mit.edu without a valid
ticket ID in the "Subject:" header.  Sending to rt-krb5@krbdev.mit.edu
would have opened a new ticket.  It's probably correct to open a new
ticket for this, though, as it is a new issue.  It is important to
retain the ticket ID string (in this case, [krbdev.mit.edu #1656] ) in
the subject to avoid confusing RT.

Anyway, are you passing in GSS_C_NO_CREDENTIAL to
gss_init_sec_context()?

---Tom


Download (untitled) 879b
      Thu Jul 10 15:06:08 2003  tlyu - Subject changed from #1601 to gss_init_sec_context() leaks credentials on error    
      Thu Jul 10 15:06:09 2003  tlyu - Status changed from new to open    
      Thu Jul 10 15:06:09 2003  tlyu - Given to tlyu    
      Thu Jul 10 15:06:10 2003  tlyu - Component krb5-libs added    
      Thu Jul 10 15:06:10 2003  tlyu - Version_reported 1.3 added    
      Thu Jul 10 15:06:10 2003  tlyu - Target_Version 1.3.1 added    
      Thu Jul 10 15:06:11 2003  tlyu - Ticket 1656 RefersTo ticket 1601.    
      Thu Jul 10 18:53:06 2003  tlyu - Status changed from open to resolved    
      Thu Jul 10 18:53:07 2003  tlyu - Tags pullup added    
      Thu Jul 10 18:53:07 2003  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: CVS Commit

	* acquire_cred.c (acquire_init_cred): Close the ccache if
	krb5_cc_set_flags() fails, as krb5int_cc_default succeeds even if
	the file is not there, but krb5_cc_set_flags will fail in turning
	off OPENCLOSE mode if the file can't be opened.  Thanks to Kent Wu.


To generate a diff of this commit:



	cvs diff -r1.223 -r1.224 krb5/src/lib/gssapi/krb5/ChangeLog
	cvs diff -r1.31 -r1.32 krb5/src/lib/gssapi/krb5/acquire_cred.c


Download (untitled) 427b
      Thu Jul 10 18:53:10 2003  Kent_Wu@trendmicro.com - Comments added    
     
From: Kent_Wu@trendmicro.com
Subject: RE: [krbdev.mit.edu #1656]
Date: Thu, 10 Jul 2003 15:52:22 -0700
To: <rt-comment@krbdev.mit.edu>
RT-Send-Cc: 

Yes, Tom. I do pass GSS_C_NO_CREDENTIAL to gss_init_sec_context(). This leak happens
when I didn't get the TGT beforehand. Got a handle on this one yet?

Kent

-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment@krbdev.mit.edu]
Sent: Thursday, July 10, 2003 12:05 PM
To: Kent Wu (RD-US)
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #1656]


>>>>> "Kent" == Kent Wu@trendmicro com via RT <rt-comment@krbdev.mit.edu> writes:

Kent> Not sure what you meant but I'm following up with #1601.

Kent> Kent

Kent> -----Original Message-----
Kent> From: rt@krbdev.mit.edu [mailto:rt@krbdev.mit.edu]
Kent> Sent: Wednesday, July 09, 2003 1:39 PM
Kent> To: Kent Wu (RD-US)
Kent> Subject: No ticket id specified


Kent> comment aliases require a TicketId to work on

This means that you sent to rt-comment@krbdev.mit.edu without a valid
ticket ID in the "Subject:" header.  Sending to rt-krb5@krbdev.mit.edu
would have opened a new ticket.  It's probably correct to open a new
ticket for this, though, as it is a new issue.  It is important to
retain the ticket ID string (in this case, [krbdev.mit.edu #1656] ) in
the subject to avoid confusing RT.

Anyway, are you passing in GSS_C_NO_CREDENTIAL to
gss_init_sec_context()?

---Tom



Download (untitled) 1.2k
      Thu Jul 10 18:58:54 2003  Kent_Wu@trendmicro.com - Comments added    
     
From: Kent_Wu@trendmicro.com
Subject: RE: [krbdev.mit.edu #1656] CVS Commit 
Date: Thu, 10 Jul 2003 15:58:21 -0700
To: <rt-comment@krbdev.mit.edu>
RT-Send-Cc: 

Thx for the quick response, will you put up a new Beta on the web pretty soon?

Kent

-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment@krbdev.mit.edu]
Sent: Thursday, July 10, 2003 3:53 PM
To: Kent Wu (RD-US)
Cc: krb5-prs@mit.edu
Subject: [krbdev.mit.edu #1656] CVS Commit


	* acquire_cred.c (acquire_init_cred): Close the ccache if
	krb5_cc_set_flags() fails, as krb5int_cc_default succeeds even if
	the file is not there, but krb5_cc_set_flags will fail in turning
	off OPENCLOSE mode if the file can't be opened.  Thanks to Kent Wu.


To generate a diff of this commit:



	cvs diff -r1.223 -r1.224 krb5/src/lib/gssapi/krb5/ChangeLog
	cvs diff -r1.31 -r1.32 krb5/src/lib/gssapi/krb5/acquire_cred.c


Download (untitled) 721b
      Thu Jul 10 19:05:18 2003  tlyu - Version_Fixed 1.3.1 added    
      Thu Jul 10 19:05:18 2003  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: CVS Commit

pullup from trunk


To generate a diff of this commit:



	cvs diff -r1.218.2.5 -r1.218.2.6 krb5/src/lib/gssapi/krb5/ChangeLog
	cvs diff -r1.31 -r1.31.2.1 krb5/src/lib/gssapi/krb5/acquire_cred.c


Download (untitled) 195b
      Thu Jul 10 19:08:14 2003  tlyu - Correspondence added    
     
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #1656] CVS Commit
From: Tom Yu <tlyu@mit.edu>
Date: Thu, 10 Jul 2003 19:08:13 -0400
RT-Send-Cc: 

>>>>> "Kent" == Kent Wu@trendmicro com via RT <rt-comment@krbdev.mit.edu> writes:

Kent> Thx for the quick response, will you put up a new Beta on the
Kent> web pretty soon?

Hi... we don't have a definite schedule set for the next release
(probably krb5-1.3.1) yet, but this patch will be included in it.
Also, we do not publicly disclose details of our release schedules.

---Tom


Download (untitled) 382b
      Thu Jul 10 19:10:20 2003  Kent_Wu@trendmicro.com - Comments added    
     
From: Kent_Wu@trendmicro.com
Subject: RE: [krbdev.mit.edu #1656] CVS Commit
Date: Thu, 10 Jul 2003 16:09:47 -0700
To: <rt-comment@krbdev.mit.edu>
RT-Send-Cc: 

Okay, just let us know.

Thx.

Kent

-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment@krbdev.mit.edu]
Sent: Thursday, July 10, 2003 4:08 PM
To: Kent Wu (RD-US)
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #1656] CVS Commit


>>>>> "Kent" == Kent Wu@trendmicro com via RT <rt-comment@krbdev.mit.edu> writes:

Kent> Thx for the quick response, will you put up a new Beta on the
Kent> web pretty soon?

Hi... we don't have a definite schedule set for the next release
(probably krb5-1.3.1) yet, but this patch will be included in it.
Also, we do not publicly disclose details of our release schedules.

---Tom



Download (untitled) 630b
      Wed Dec 16 18:02:41 2015  tlyu - Keyword pullup deleted