Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 2570 From kwc@dh171.citi.umich.edu Fri Oct 4 09:24:32 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3) with ESMTP id JAA13557; Fri, 4 Oct 2002 09:24:32 -0400 (EDT) Received: from dh171.citi.umich.edu (dh171.citi.umich.edu [141.211.133.171]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA14956 for ; Fri, 4 Oct 2002 09:24:32 -0400 (EDT) Received: (from kwc@localhost) by dh171.citi.umich.edu (8.11.6/8.11.6) id g94DRuN32591; Fri, 4 Oct 2002 09:27:56 -0400 Date: Fri, 4 Oct 2002 09:27:56 -0400 Message-Id: <200210041327.g94DRuN32591@dh171.citi.umich.edu> To: krb5-bugs@mit.edu Subject: padata memory leak in AS_REQ path From: kwc@citi.umich.edu Reply-To: kwc@citi.umich.edu X-send-pr-version: 3.99 >Submitter-Id: net >Originator: Kevin Coffman >Organization: Kevin Coffman Center for Information Technology Integration ---------------------- University of Michigan Phone: (734) 763-0592 3106 Argus mailto:kwc@umich.edu 535 West William Street ---------------------- Ann Arbor, MI, 48103-4943 http://www.citi.umich.edu/u/kwc/ >Confidential: no >Synopsis: padata not freed from reply structure >Severity: serious >Priority: medium >Category: krb5-kdc >Class: sw-bug >Release: krb5-1.2.5 >Environment: All systems and architectures are affected. >Description: When preauthentication data is returned as part of the AS_REQ, the padata is never released from the reply structure after the return packet is constructed. Also, normal processing already frees the encrypting_key contents, so it should be free conditionally in the errout: section. >How-To-Repeat: AS_REQs for users with only an AFS key in the database have the pw-salt padata returned in the response. Also, we have code to use the SPECIAL salt type for users whose principal name (uniqname) has been changed. This also results in padata being returned in the response. >Fix: Apply the following patch (this patch is against the 1.2.6 release): --- src/kdc/do_as_req.c.orig Fri Oct 4 09:00:10 2002 +++ src/kdc/do_as_req.c Fri Oct 4 09:04:35 2002 @@ -448,8 +448,10 @@ errcode = prepare_error_as(request, errcode, &e_data, response); } - krb5_free_keyblock_contents(kdc_context, &encrypting_key); - + if (encrypting_key.contents) + krb5_free_keyblock_contents(kdc_context, &encrypting_key); + if (reply.padata) + krb5_free_pa_data(kdc_context, reply.padata); if (cname) free(cname); if (sname)