Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by krbdev.mit.edu (8.9.3p2) with ESMTP id SAA29092; Fri, 29 Dec 2006 18:17:53 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id kBTNHql2014173 for <rt-comment@krbdev.mit.edu>; Fri, 29 Dec 2006 18:17:53 -0500 (EST)
Received: from [192.168.1.47] (pool-71-126-50-180.bstnma.east.verizon.net [71.126.50.180]) (authenticated bits=0) (User authenticated as epeisach@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id kBTNHpGA000172 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <rt-comment@krbdev.mit.edu>; Fri, 29 Dec 2006 18:17:52 -0500 (EST)
Message-Id: <4595A21E.2040101@mit.edu>
Date: Fri, 29 Dec 2006 18:17:50 -0500
From: Ezra Peisach <epeisach@MIT.EDU>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5233] Change in behaviour in gss_release_buffer() by mechtypes introduces memory leak
References: <rt-5233-21710.9.89334467313668@krbdev.mit.edu>
In-Reply-To: <rt-5233-21710.9.89334467313668@krbdev.mit.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-BY: MIMEDefang 2.42
X-Spam-Flag: NO
X-Spam-Score: 0.00
RT-Send-Cc: 
X-RT-Original-Encoding: iso-8859-1
Content-Length: 964

Well - here is my patch.... Appears to work w/o complaint w/ gssftp....


Included is another memory leak patch - on error case....

Index: krb5/k5sealv3.c
===================================================================
--- krb5/k5sealv3.c     (revision 19019)
+++ krb5/k5sealv3.c     (working copy)
@@ -412,10 +412,16 @@
            if (load_16_be(althdr) != 0x0504
                || althdr[2] != ptr[2]
                || althdr[3] != ptr[3]
-               || memcmp(althdr+8, ptr+8, 8))
+               || memcmp(althdr+8, ptr+8, 8)) {
+               free(plain.data);
                goto defective;
+           }
            message_buffer->value = plain.data;
            message_buffer->length = plain.length - ec - 16;
+           if(message_buffer->length == 0) {
+             free(message_buffer->value);
+             message_buffer->value = NULL;
+           }
        } else {
            /* no confidentiality */
            if (conf_state)