From krb5-bugs-incoming-bounces@PCH.mit.edu Wed Oct 19 16:43:48 2005 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id QAA24913; Wed, 19 Oct 2005 16:43:48 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9JKhApx011908 for ; Wed, 19 Oct 2005 16:43:10 -0400 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9JEsFpx012174 for ; Wed, 19 Oct 2005 10:54:15 -0400 Received: from mail.avidhosting.com (mail.avidhosting.com [64.4.195.71]) j9JEsGqs017762 for ; Wed, 19 Oct 2005 10:54:16 -0400 (EDT) Received: (qmail 7130 invoked by uid 399); 19 Oct 2005 14:54:15 -0000 Received: from unknown (HELO endian.dyndns.org) (67.184.105.142) by mail.avidhosting.com with SMTP; 19 Oct 2005 14:54:15 -0000 Received: by endian.dyndns.org (Postfix, from userid 1000) id 0069117A969; Wed, 19 Oct 2005 09:54:12 -0500 (CDT) To: krb5-bugs@mit.edu From: Ed Plese X-send-pr-version: 3.99 Message-Id: <20051019145412.0069117A969@endian.dyndns.org> Date: Wed, 19 Oct 2005 09:54:12 -0500 (CDT) X-Spam-Score: -0.783 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-Mailman-Approved-At: Wed, 19 Oct 2005 16:43:09 -0400 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1 Precedence: list Reply-To: Ed Plese Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu >Submitter-Id: net >Originator: >Organization: >Confidential: no >Synopsis: Memory leak parsing ticket_lifetime from krb5.conf. >Severity: non-critical >Priority: low >Category: krb5-libs >Class: sw-bug >Release: 1.4.1 >Environment: OS: Gentoo Linux System: Linux morpheus 2.6.13-mm1 #1 SMP PREEMPT Wed Sep 7 06:40:46 CDT 2005 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz GenuineIntel GNU/Linux Architecture: i686 >Description: This particular problem was noticed while running Samba 3 configured as a domain member of an Active Directory. Over a few hours of working with an Active Directory with a few thousand users, winbind would be using over 1 GB of memory and would need to be restarted. Running valgrind on winbind showed (among other things) the following results after running "wbinfo -t" 1000 times. ==31865== 4004 bytes in 1001 blocks are definitely lost in loss record 36 of 44 ==31865== at 0x1B9042FC: malloc (in /usr/lib/valgrind/vgpreload_memcheck.so) ==31865== by 0x1B9FF911: krb5_libdefault_string (get_in_tkt.c:716) ==31865== by 0x1B9FFBC3: krb5_get_init_creds (get_in_tkt.c:841) ==31865== by 0x1BA00E0C: krb5_get_init_creds_password (gic_pwd.c:124) ==31865== by 0x1D13FF: kerberos_kinit_password (kerberos.c:91) ==31865== by 0x1BAB95DE: __libc_start_main (in /lib/libc-2.3.4.so) ==31865== by 0x2F090: (within /usr/sbin/winbindd) The culprit of the leak seems to be krb5_get_init_creds in get_in_tkt.c. Here is the code starting at line 839: if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) { tkt_life = options->tkt_life; } else if ((ret = krb5_libdefault_string(context, &client->realm, "ticket_lifetime", &tempstr)) == 0) { if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) { free(tempstr); goto cleanup; } } else { /* this used to be hardcoded in kinit.c */ tkt_life = 24*60*60; } The problem is that on success, krb5_string_to_deltat returns 0 and therefore tempstr is never freed. This should be able to be fixed by a simple fix as shown below: if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) { tkt_life = options->tkt_life; } else if ((ret = krb5_libdefault_string(context, &client->realm, "ticket_lifetime", &tempstr)) == 0) { if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) { free(tempstr); goto cleanup; + } else { + free(tempstr); } } else { /* this used to be hardcoded in kinit.c */ tkt_life = 24*60*60; } There also appears to be a problem with the retrieving of the renew_lifetime configuration parameter in the code directly following the code shown above (starting at line 856) since the code is very similar to the above code. I am not familiar with the codebase so the above fix may not be correct and/or may overlook something. For this reason I haven't even tested this fix and instead just went with workaround of removing the ticket_lifetime configuration parameter from krb5.conf. >How-To-Repeat: I'm sure there are simpler ways, but in my environment I did the following: 1. Configure Samba 3 to be an Active Directory domain member server. 2. Run "wbinfo -t" 1000 times. All it really takes is once, but running it 1000 makes it more noticeable. >Fix: The simple workaround to this problem is to remove the ticket_lifetime configuration parameter from krb5.conf. This avoids the code path that causes the memory leak.