From: tlyu@mit.edu
Subject: CVS Commit

	* rd_cred.c (decrypt_credencdata): Clear and free ppart to avoid
	leak.  Reported by Derrick Schommer.


To generate a diff of this commit:



	cvs diff -r5.450 -r5.451 krb5/src/lib/krb5/krb/ChangeLog
	cvs diff -r5.43 -r5.44 krb5/src/lib/krb5/krb/rd_cred.c

Subject: decode_krb5_enc_cred_part() is leaking memory when performing
Cc: hartmans@mit.edu

I was running valgrind to check some of my kerberos authentication and
ran into this:

==11600== 28 bytes in 1 blocks are definitely lost in loss record 9 of 12
==11600==    at 0x1B90340D: calloc (vg_replace_malloc.c:176)
==11600==    by 0x125624: decode_krb5_enc_cred_part (in
/usr/lib/libkrb5.so.3.2)
==11600==    by 0x149E5E: (within /usr/lib/libkrb5.so.3.2)
==11600==    by 0x149F61: (within /usr/lib/libkrb5.so.3.2)
==11600==    by 0x14A23B: krb5_rd_cred (in /usr/lib/libkrb5.so.3.2)


Its only 28 blocks, but if I repeat the authentication over and over it
grows quickly.  It seems that when I get a forwarded tgt (krb5_fwd_tgt()
) and call krb5_rd_cred() it allocates some memory in the asn.1 decoder
and I'm not sure why its not cleaned up (or where it should be cleaned up).

All I know is that if I call krb5_rd_cred() 10 times I'll have 28 * 10
bytes of leaked memory.

Not sure what to do at this point.  I'm running krb5 1.3.4.

This is an official bug log.  Currently a post on comp.protocols.kerberos

Thanks; this was already filed as #2719 and fixed.

Date: Thu, 23 Sep 2004 16:48:41 -0400
From: Derrick Schommer <schommer@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2721] decode_krb5_enc_cred_part() is leaking memory when performing krb5_rd_cred
RT-Send-Cc: 

Awe crap.  I'm trying to put these in the database, because Sam
Hartman asked me too.

Did you get my bug on setuseruserkey()?  I used krb5-send-pr for that
one (not the web interface), and I have no clue if it actually was
sent.

If not, I'll add it to the database.  But basically on line 142 of
mk_req_ext.c there is no check to see if the keyblock for auth_context
already exists.  I did a setuseruserkey() awhile prior to the
mk_req_extended() call and it overwrote the key w/o freeing the one
that was set before it.

Derrick


On Thu, 23 Sep 2004 16:42:55 -0400 (EDT), Tom Yu via RT
<rt-comment@krbdev.mit.edu> wrote:
> Thanks; this was already filed as #2719 and fixed.
>

Date: Thu, 23 Sep 2004 16:48:41 -0400
From: Derrick Schommer <schommer@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2721] decode_krb5_enc_cred_part() is leaking memory when performing krb5_rd_cred
RT-Send-Cc: 

Awe crap.  I'm trying to put these in the database, because Sam
Hartman asked me too.

Did you get my bug on setuseruserkey()?  I used krb5-send-pr for that
one (not the web interface), and I have no clue if it actually was
sent.

If not, I'll add it to the database.  But basically on line 142 of
mk_req_ext.c there is no check to see if the keyblock for auth_context
already exists.  I did a setuseruserkey() awhile prior to the
mk_req_extended() call and it overwrote the key w/o freeing the one
that was set before it.

Derrick


On Thu, 23 Sep 2004 16:42:55 -0400 (EDT), Tom Yu via RT
<rt-comment@krbdev.mit.edu> wrote:
> Thanks; this was already filed as #2719 and fixed.
>