From krb5-bugs-incoming-bounces@PCH.MIT.EDU Mon Nov 19 17:26:09 2007 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id lAJMQ9HW016619; Mon, 19 Nov 2007 17:26:09 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id lAJMQ4D9024358; Mon, 19 Nov 2007 17:26:04 -0500 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id lAJECo3d022216 for ; Mon, 19 Nov 2007 09:12:50 -0500 Received: from mit.edu (M24-004-BARRACUDA-2.MIT.EDU [18.7.7.112]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id lAJEChpb015001 for ; Mon, 19 Nov 2007 09:12:44 -0500 (EST) Received: from mailhub-3.iastate.edu (mailhub-3.iastate.edu [129.186.140.13]) by mit.edu (Spam Firewall) with ESMTP id 4B194DF3D38 for ; Mon, 19 Nov 2007 09:12:43 -0500 (EST) Received: from devirus-10.iastate.edu (devirus-10.iastate.edu [129.186.1.47]) by mailhub-3.iastate.edu (8.12.11.20060614/8.12.10) with SMTP id lAJECgi8017576 for ; Mon, 19 Nov 2007 08:12:42 -0600 Received: from (despam-11.iastate.edu [129.186.140.81]) by devirus-10.iastate.edu with smtp id 6309_7ac58c02_96a8_11dc_9df3_00137253420a; Mon, 19 Nov 2007 08:05:26 -0600 Received: from malison.ait.iastate.edu (malison.ait.iastate.edu [129.186.145.229]) by despam-11.iastate.edu (8.12.11.20060614/8.12.10) with ESMTP id lAJECgFI003177 for ; Mon, 19 Nov 2007 08:12:42 -0600 Received: (from john@localhost) by malison.ait.iastate.edu (8.8.8/8.8.5) id IAA02137; Mon, 19 Nov 2007 08:12:42 -0600 (CST) Date: Mon, 19 Nov 2007 08:12:42 -0600 (CST) Message-Id: <200711191412.IAA02137@malison.ait.iastate.edu> To: krb5-bugs@mit.edu Subject: krb5_sendauth double free error From: john@iastate.edu X-send-pr-version: 3.99 X-PMX-Version: 5.3.1.294258, Antispam-Engine: 2.5.1.298604, Antispam-Data: 2007.11.19.54825 X-ISUMailhub-test: Gauge=IIIIIII, Probability=7%, Report='NO_REAL_NAME 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __SANE_MSGID 0, __STOCK_PHRASE_24 0' X-Spam-Score: 1.15 X-Spam-Level: * (1.15) X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-Mailman-Approved-At: Mon, 19 Nov 2007 17:26:02 -0500 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: john@iastate.edu Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU >Submitter-Id: net >Originator: John Hascall >Organization: Iosa State University >Confidential: no >Synopsis: krb5_sendauth can double free creds.server >Severity: critical >Priority: high >Category: krb5-libs >Class: sw-bug >Release: 1.6.3 >Environment: System: OSF1 malison.ait.iastate.edu V4.0 1229 alpha Architecture: axp Machine: alpha >Description: Starting at line 102 of src/lib/krb5/krb/sendauth.c (V1.6.3) we see: if ((retval = krb5_copy_principal(context, server, &creds.server))) goto error_return; if (client) retval = krb5_copy_principal(context, client, &creds.client); else retval = krb5_cc_get_principal(context, use_ccache, &creds.client); if (retval) { krb5_free_principal(context, creds.server); goto error_return; ... error_return: krb5_free_cred_contents(context, &creds); Does this not free creds.server twice if krb5_copy_principal or (as in my case) krb5_cc_get_principal fails? >How-To-Repeat: call krb5_sendauth with client==NULL, in_creds==NULL, ccache==NULL and no ccache file. >Fix: Delete line 112: krb5_free_principal(context, creds.server);